Lecture Notes in 
Computer Science 



1880 



Mihir Bellare (Ed.) 



Advances in Cryptology - 
CRYPTO 2000 



20th Annual International Cryptology Conference 
Santa Barbara, California, USA, August 2000 
Proceedings 





Springer 





Lecture Notes in Computer Science 1880 

Edited by G. Goos, J. Hartmanis and J. van Leeuwen 




Springer 

Berlin 

Heidelberg 

New York 

Barcelona 

Hong Kong 

London 

Milan 

Paris 

Singapore 

Tokyo 




Mihir Bellare (Ed.) 



Advances in Cryptology - 
CRYPTO 2000 



20th Annual International Cryptology Conference 
Santa Barbara, California, USA, August 20-24, 2000 
Proceedings 




Springer 




Series Editors 



Gerhard Goos, Karlsruhe University, Germany 
Juris Hartmanis, Cornell University, NY, USA 
Jan van Leeuwen, Utrecht University, The Netherlands 

Volume Editor 
Mihir Bellare 

University of California, Department of Computer Science and Engineering, 01 14 
9500 Gilman Drive, La Jolla, CA 92093, USA 
E-mail: mihir@cs.ucsd.edu 



Cataloging-in-Publication Data applied for 



Die Deutsche Bibliothek - CIP-Einheitsaufnahme 

Advances in cryptology : proceedings / CRYPTO 2000, 20th Annual 
International Cryptology Conference, Santa Barbara, California, USA, 
August 20 - 24, 2000. Mihir Bellare (ed.). [IACR]. - Berlin ; 
Heidelberg ; New York ; Barcelona ; Hong Kong ; London ; Milan ; 
Paris ; Singapore ; Tokyo : Springer, 2000 

(Lecture notes in computer science ; Vol. 1880) 

ISBN 3-540-67907-3 



CR Subject Classification (1998): E.3, G.2.1, D.4.6, K.6.5, F.2.1-2, C.2, J.l 
ISSN 0302-9743 

ISBN 3-540-67907-3 Springer- Verlag Berlin Heidelberg New York 



This work is subject to copyright. All rights are reserved, whether the whole or part of the material is 
concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting, 
reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication 
or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, 
in its current version, and permission for use must always be obtained from Springer- Verlag. Violations are 
liable for prosecution under the German Copyright Law. 

Springer- Verlag is a company in the BertelsmannSpringer publishing group. 

© Springer-Verlag Berlin Heidelberg 2000 
Printed in Germany 

Typesetting: Camera-ready by author, data conversion by Steingraber Satztechnik GmbH, Heidelberg 
Printed on acid-free paper SPIN: 10722418 06/3142 5 4 3 2 1 0 




Preface 



Crypto 2000 was the 20th Annual Crypto conference. It was sponsored by the 
International Association for Cryptologic Research (IACR) in cooperation with 
the IEEE Computer Society Technical Committee on Security and Privacy and 
the Computer Science Department of the University of California at Santa Bar- 
bara. 

The conference received 120 submissions, and the program committee se- 
lected 32 of these for presentation. Extended abstracts of revised versions of 
these papers are in these proceedings. The authors bear full responsibility for 
the contents of their papers. 

The conference program included two invited lectures. Don Coppersmith’s 
presentation “The development of DES” recorded his involvement with one of 
the most important cryptographic developments ever, namely the Data Encryp- 
tion Standard, and was particularly apt given the imminent selection of the 
Advanced Encryption Standard. Martin Abadi’s presentation “Taming the Ad- 
versary” was about bridging the gap between useful but perhaps simplistic threat 
abstractions and rigorous adversarial models, or perhaps, even more generally, 
between viewpoints of the security and cryptography communities. An abstract 
corresponding to Martin’s talk is included in these proceedings. 

The conference program also included its traditional “rump session” of short, 
informal or impromptu presentations, chaired this time by Stuart Haber. These 
presentations are not reflected in these proceedings. 

An electronic submission process was available and recommended, but for the 
first time used a web interface rather than email. (Perhaps as a result, there were 
no hardcopy submissions.) The submission review process had three phases. In 
the first phase, program committee members compiled reports (assisted at their 
discretion by sub-referees of their choice, but without interaction with other 
program committee members) and entered them, via web forms, into web-review 
software running at UCSD. In the second phase, committee members used the 
software to browse each other’s reports, discuss, and update their own reports. 
Lastly there was a program committee meeting to discuss the difficult cases. 

I am extremely grateful to the program committee members for their enor- 
mous investment of time, effort, and adrenaline in the difficult and delicate 
process of review and selection. (A list of program committee members and sub- 
referees they invoked can be found on succeeding pages of this volume.) I also 
thank the authors of submitted papers — in equal measure regardless of whether 
their papers were accepted or not — for their submissions. It is the work of this 
body of researchers that makes this conference possible. 

I thank Rebecca Wright for hosting the program committee meeting at the 
AT&T building in New York City and managing the local arrangements, and 
Ran Canetti for organizing the post-PC-meeting dinner with his characteristic 
gastronomic and oenophilic flair. 




VI 



Preface 



The web-review software we used was written for Eurocrypt 2000 by Wim 
Moreau and Joris Claessens under the direction of Eurocrypt 2000 program chair 
Bart Preneel, and I thank them for allowing us to deploy their useful and colorful 
tool. 

I am most grateful to Chanathip Namprempre (aka. Meaw) who provided 
systems, logistical, and moral support for the entire Crypto 2000 process. She 
wrote the software for the web-based submissions, adapted and ran the web- 
review software at UCSD, and compiled the final abstracts into the proceedings 
you see here. She types faster than I speak. 

I am grateful to Hugo Krawczyk for his insight and advice, provided over a 
long period of time with his usual combination of honesty and charm, and to 
him and other past program committee chairs, most notably Michael Wiener 
and Bart Preneel, for replies to the host of questions I posed during the pro- 
cess. In addition I received useful advice from many members of our community 
including Silvio Micali, Tal Rabin, Ron Rivest, Phil Rogaway, and Adi Shamir. 
Finally thanks to Matt Franklin who as general chair was in charge of the local 
organization and finances, and, on the IACR side, to Christian Cachin, Kevin 
McCurley, and Paul Van Oorsclrot. 

Chairing a Crypto program committee is a learning process. I have come to 
appreciate even more than before the quality and variety of work in our field, 
and I hope the papers in this volume contribute further to its development. 



June 2000 



Mihir Bellare 
Program Chair, Crypto 2000 




CRYPTO 2000 



August 20-24, 2000, Santa Barbara, California, USA 

Sponsored by the 

International Association for Cryptologic Research (IACR) 
in cooperation with 

IEEE Computer Society Technical Committee on Security and Privacy, 
Computer Science Department, University of California, Santa Barbara 

General Chair 

Matthew Franklin, Xerox Palo Alto Research Center, USA 

Program Chair 

Mihir Bellare, University of California, San Diego, USA 

Program Committee 



Alex Biryukov Weizmann Institute of Science, Israel 

Dan Boneh Stanford University, USA 

Christian Caclrin IBM Research, Switzerland 

Ran Canetti IBM Research, USA 

Ronald Cramer ETH Zurich, Switzerland 

Yair Frankel CertCo, USA 

Slrai Halevi IBM Research, USA 

Arjen Lenstra Citibank, USA 

Mitsuru Matsui Mitsubishi Electric Corporation, Japan 

Paul Van Oorschot Entrust Technologies, Canada 

Bart Preneel Katholieke Universiteit Leuven, Belgium 

Phillip Rogaway University of California, Davis, USA 

Victor Shoup IBM Zurich, Switzerland 

Jessica Staddon Bell Labs Research, Palo Alto, USA 

Jacques Stern Ecole Normale Superieure, France 

Doug Stinson University of Waterloo, Canada 

Salil Vadlran Massachusetts Institute of Technology, USA 

David Wagner University of California, Berkeley, USA 

Rebecca Wright AT&T Laboratories Research, USA 



Advisory members 



Michael Wiener (Crypto 1999 program chair) . . Entrust Technologies, Canada 
Joe Kilian (Crypto 2001 program chair) Intermemory, USA 




VIII Organization 



Sub-Referees 

Bill Aiello, Jeehea An, Olivier Baudron, Don Beaver, Josh Benalolr, John Black, 
Simon Blackburn, Alexandra Boldyreva, Nikita Borisov, Victor Boyko, Jan Ca- 
menisch, Suresh Chari, Scott Contini, Don Coppersmith, Claude Crepeau, Ivan 
Damgard, Anand Desai , Giovanni Di Crescenzo, Yevgeniy Dodis, Matthias 
Fitzi, Matt Franklin, Rosario Gennaro, Guang Gong, Luis Granboulan, Nick 
Howgrave-Gralram, Russell Impagliazzo, Yuval Ishai, Markus Jakobsson, Stas 
Jarecki, Thomas Johansson, Charanjit Jutla, Joe Kilian, Eyal Kushilevitz, Moses 
Liskov, Stefan Lucks, Anna Lysyanskaya, Philip MacKenzie, Subhamoy Maitra, 
Tal Malkin, Barbara Masucci, Alfred Menezes, Daniele Micciancio, Sara Miner, 
Ilia Mironov, Moni Naor , Phong Nguyen, Rafail Ostrovsky, Erez Petrank, Birgit 
Pfitzmann, Benny Pinkas, David Pointcheval, Guillaume Poupard, Tal Rabin, 
Charlie RackofF, Zulfikar Ramzan, Omer Reingold, Leo Reyzin, Pankaj Rolratgi, 
Amit Sahai, Louis Salvail, Claus Schnorr, Mike Semanko, Bob Silverman, Joe 
Silverman, Dan Simon, Nigel Smart, Ben Smeets, Adam Smith, Martin Strauss, 
Ganesh Sundaram, Serge Vaudenay, Frederik Vercauteren, Bernhard von Sten- 
gel, Ruizhong Wei, Susanne Gudrun Wetzel, Colin Williams, Stefan Wolf, Felix 
Wu, Yiqun Lisa Yin, Amir Youssef, Robert Zuccherato 




Table of Contents 



XTR and NTRU 

The XTR Public Key System 1 

Arjen K. Lenstra, Eric R. Verheul 

A Chosen-Ciphertext Attack against NTRU 20 

Eliane Jaulmes, Antoine Joux 

Privacy for Databases 

Privacy Preserving Data Mining 36 

Yehuda Lindell, Benny Pinkas 

Reducing the Servers Computation in Private Information Retrieval: 

PIR with Preprocessing 55 

Amos Beimel, Yuval Ishai, Tal Malkin 

Secure Distributed Computation and Applications 

Parallel Reducibility for Information-Tlreoretically Secure Computation ... 74 
Yevgeniy Dodis, Silvio Micali 

Optimistic Fair Secure Computation 93 

Christian Cachin, Jan Camenisch 

A Cryptographic Solution to a Game Theoretic Problem 112 

Yevgeniy Dodis, Shai Halevi, Tal Rabin 

Algebraic Cryptosystems 

Differential Fault Attacks on Elliptic Curve Cryptosystems 131 

Ingrid Biehl, Bernd Meyer, Volker Muller 

Quantum Public-Key Cryptosystems 147 

Tatsuaki Okamoto, Keisuke Tanaka, Shigenori Uchiyama 

New Public-Key Cryptosystem Using Braid Groups 166 

Ki Hyoung Ko, Sang Jin Lee, Jung Hee Cheon, Jae Woo Han, 

Ju-sung Kang, Choonsik Park 

Message Authentication 

Key Recovery and Forgery Attacks on the MacDES MAC Algorithm 184 

Don Coppersmith, Lars R. Knudsen, Chris J. Mitchell 




X 



Table of Contents 



CBC MACs for Arbitrary-Length Messages: The Three-Key Constructions 197 
John Black, Phillip Rogaway 

L-collision Attacks against Randomized MACs 216 

Michael Semanko 

Digital Signatures 

On the Exact Security of Full Domain Hash 229 

Jean-Sebastien Coron 

Timed Commitments 236 

Dan Boneh, Moni Naor 

A Practical and Provably 

Secure Coalition- Resist ant Group Signature Scheme 255 

Giuseppe Ateniese, Jan Camenisch, Marc Joye, Gene Tsudik 

Provably Secure Partially Blind Signatures 271 

Masayuki Abe, Tatsuaki Okamoto 

Cryptanalysis 

Weaknesses in the SL 2 (F 2 n) Hashing Scheme 287 

Rainer Steinwandt, Markus Grassl, Willi Geiselmann, Thomas Beth 

Fast Correlation Attacks through Reconstruction of Linear Polynomials . . 300 
Thomas Johansson, Fredrik Jonsson 

Traitor Tracing and Broadcast Encryption 

Sequential Traitor Tracing 316 

Reihaneh Safavi-Naini, Yejing Wang 

Long-Lived Broadcast Encryption 333 

Juan A. Garay, Jessica Staddon, Avishai Wool 

Invited Talk 

Taming the Adversary 353 

Martin Abadi 

Symmetric Encryption 

The Security of All-or-Nothing Encryption: 

Protecting against Exhaustive Key Search 359 

Anand Desai 

On the Round Security of Symmetric-Key Cryptographic Primitives 376 

Zulfikar Ramzan, Leonid Reyzin 




Table of Contents 



XI 



New Paradigms for Constructing Symmetric Encryption Schemes Secure 

against Clrosen-Ciplrertext Attack 394 

Anand Desai 

To Commit or Not to Commit 

Efficient Non-malleable Commitment Schemes 413 

Marc Fischlin , Roger Fischlin 

Improved Non-committing Encryption Schemes 

Based on a General Complexity Assumption 432 

Ivan Damgard, Jesper Buus Nielsen 

Protocols 

A Note on the Round-Complexity of Concurrent Zero-Knowledge 451 

Alon Rosen 

An Improved Pseudo-random Generator Based on Discrete Log 469 

Rosario Gennaro 

Linking Classical and Quantum Key Agreement: 

Is There “Bound Information”? 482 

Nicolas Gisin, Stefan Wolf 

Stream Ciphers and Boolean Functions 

Maximum Correlation Analysis of Nonlinear S-boxes in Stream Ciphers ... 501 
Muxiang Zhang, Agnes Chan 

Nonlinearity Bounds and Constructions of Resilient Boolean Functions . . . 515 
Palash Sarkar, Subhamoy Maitra 

Almost Independent and Weakly Biased Arrays: 

Efficient Constructions and Cryptologic Applications 533 

Jurgen Bierbrauer, Holger Schellwat 

Author Index 545 




The XTR Public Key System 



Arjen K. Lenstra 1 and Eric R. Verheul 2 



1 Citibank, N.A., 1 North Gate Road, Mendham, NJ 07945-3104, U.S.A., 
arjen. lenstra@citicorp . com 

2 PricewaterhouseCoopers, GRMS Crypto Group, Goudsbloemstraat 14, 5644 KE 
Eindhoven, The Netherlands, 

Eric . Verheul@ [nl .pwcglobal . com, pobox . com] 



Abstract. This paper introduces the XTR public key system. XTR is 
based on a new method to represent elements of a subgroup of a mul- 
tiplicative group of a finite field. Application of XTR in cryptographic 
protocols leads to substantial savings both in communication and com- 
putational overhead without compromising security. 



1 Introduction 

The Diffie-Hellman (DH) key agreement protocol was the first published prac- 
tical solution to the key distribution problem, allowing two parties that have 
never met to establish a shared secret key by exchanging information over an 
open channel. In the basic DH scheme the two parties agree upon a generator 
g of the multiplicative group GF(p)* of a prime field GF (p) and they each send 
a random power of g to the other party. Assuming both parties know p and g , 
each party transmits about log 2 (p) bits to the other party. 

In 0 it was suggested that finite extension fields can be used instead of prime 
fields, but no direct computational or communication advantages were implied. 
In |22J a variant of the basic DH scheme was introduced where g generates a 
relatively small subgroup of GF(p)* of prime order q. This considerably reduces 
the computational cost of the DH scheme, but has no effect on the number of 
bits to be exchanged. In 0 it was shown for the first time how the use of finite 
extension fields and subgroups can be combined in such a way that the number of 
bits to be exchanged is reduced by a factor 3. More specifically, it was shown that 
elements of an order q subgroup of GF (p 6 )* can be represented using 21og 2 (p) 
bits if q divides p 2 — p + 1. Despite its communication efficiency, the method 
of |3 is rather cumbersome and computationally not particularly efficient. 

In this paper we present a greatly improved version of the method from 0 
that achieves the same communication advantage at a much lower computational 
cost. We refer to our new method as XTR, for Efficient and Compact Subgroup 
Trace Representation. XTR can be used in conjunction with any cryptographic 
protocol that is based on the use of subgroups and leads to substantial savings in 
communication and computational overhead. Furthermore, XTR key generation 
is very simple. We prove that using XTR in cryptographic protocols does not 
affect their security. The best attacks we are aware of are Pollard’s rho method 
in the order q subgroup, or the Discrete Logarithm variant of the Number Field 

M. Bellare (Ed.): CRYPTO 2000, LNCS 1880, pp. 1-d 2000. 

(c) Springer- Verlag Berlin Heidelberg 2000 



2 



Arjen K. Lenstra and Eric R. Verheul 



Sieve in the full multiplicative group GF(p 6 )*. With primes p and q of about 
1024/6 « 170 bits the security of XTR is equivalent to traditional subgroup sys- 
tems using 170-bit subgroups and 1024-bit finite fields. But with XTR subgroup 
elements can be represented using only about 2 * 170 bits, which is substantially 
less than the 1024-bits required for their traditional representation. 

Full exponentiation in XTR is faster than full scalar multiplication in an 
Elliptic Curve Cryptosystem (ECC) over a 170-bit prime field, and thus sub- 
stantially faster than full exponentiation in either RSA or traditional subgroup 
discrete logarithm systems of equivalent security. XTR keys are much smaller 
than RSA keys of comparable security. ECC keys allow a smaller representation 
than XTR keys, but in many circumstances (e.g. storage) ECC and XTR key 
sizes are comparable. However, XTR is not affected by the uncertainty still mar- 
ring ECC. Key selection for XTR is very fast compared to RSA, and orders of 
magnitude easier and faster than for ECC. As a result XTR may be regarded as 
the best of two worlds, RSA and ECC. It is an excellent alternative to either RSA 
or ECC in applications such as SSL/TLS (Secure Sockets Layer, Transport Layer 
Security), public key smartcards, WAP/WTLS (Wireless Application Protocol, 
Wireless Transport Layer Security), IPSEC/IKE (Internet Protocol Security, 
Internet Key Exchange), and SET (Secure Electronic Transaction). 

In |2| it is argued that ECC is the only public key system that is suitable 
for a variety of environments, including low-end smart cards and over-burdened 
web servers communicating with powerful PC clients. XTR shares this advan- 
tage with ECC, with the distinct additional advantage that XTR key selection 
is very easy. This makes it easily feasible for all users of XTR to have public keys 
that are not shared with others, unlike ECC where a large part of the public 
key is often shared between all users of the system. Also, compared to ECC, 
the mathematics underlying XTR is straightforward, thus avoiding two common 
ECC-pitfalls: ascertaining that unfortunate parameter choices are avoided that 
happen to render the system less secure, and keeping abreast of, and incorporat- 
ing additional checks published in, newly obtained results. The latest example of 
the latter is jHj , where yet another condition affecting the security of ECC over 
finite fields of characteristic two is described. As a consequence the draft IKE 
protocol (part of IPSec) for ECC was revised. Note that Odlyzko in m advises 
to use ECC key sizes of at least 300 bits, even for moderate security needs. 

XTR is the first method we are aware of that uses GF(p 2 ) arithmetic to 
achieve GF(p 6 ) security, without requiring explicit construction of GF(p 6 ). Let 
g be an element of order q > 6 dividing p 2 — p+ 1. Because p 2 — p + 1 divides the 
order p 6 — 1 of GF(p 6 )* this g generates an order q subgroup of GF(p 6 )*. Since q 
does not divide any p s — 1 for s = 1, 2, 3 (cf. jUJ), the subgroup generated by g 
cannot be embedded in the multiplicative group of any true subfield of GF(p 6 ). 
We show, however, that arbitrary powers of g can be represented using a single 
element of the subfield GF(p 2 ), and that such powers can be computed efficiently 
using arithmetic operations in GF(p 2 ) while avoiding arithmetic in GF(p 6 ). 

In Section Q we describe XTR, and in Section |3| we explain how the XTR 
parameters can be found quickly. Applications and comparisons to RSA and 



The XTR Public Key System 



3 



ECC are given in Section p] In Section^we prove that using XTR does not have 
a negative impact on the security. Extensions are discussed in Section 0 



2 Subgroup Representation and Arithmetic 

2.1 Preliminaries 

Let p = 2 mod 3 be a prime such that the sixth cyclotomic polynomial evaluated 
in p, i.e., <j>e(p) = p 2 — p+ 1, has a prime factor q > 6. In subsection 13. 1 I we give 
a fast method to select p and q. By g we denote an element of GF(p 6 )* of order 
q. Because of the choice of q , this g is not contained in any proper subfield of 
GF(p 6 ) (cf. El)- Many cryptographic applications (cf. Section 0 make use of the 
subgroup (g) generated by g. In this section we show that actual representation 
of the elements of (g) and of any other element of GF(p 6 ) can be avoided. Thus, 
there is no need to represent elements of GF(p 6 ), for instance by constructing a 
sixth or third degree irreducible polynomial over GF(p) or GF(p 2 ), respectively. 
A representation of GF(p 2 ) is needed, however. This is done as follows. 

From p = 2 mod 3 it follows that p mod 3 generates GF(3)*, so that the 
zeros a and a v of the polynomial (A 3 — 1)/ (A — 1) = A 2 + A + 1 form an 
optimal normal basis for GF(p 2 ) over GF (p). Because a 1 = a 1 mod 3 , an element 
x £ GF(p 2 ) can be represented as aqa+aqa p = aqa+aqa 2 for aq, X2 £ GF (p). In 
this representation of GF(p 2 ) an element t of GF(p) is represented as —to — to 2 , 
e.g. 3 is represented as —3a — 3a 2 . Arithmetic operations in GF(p 2 ) are carried 
out as follows. 

For any x = aqa + X2 a 2 £ GF (p 2 ) we have that x p = x\a p + X2a 2p = 
aqa + X\a 2 . It follows that p th powering in GF(p 2 ) does not require arithmetic 
operations and can thus be considered to be for free. Squaring of aqa + aqa 2 £ 
GF(p 2 ) can be carried out at the cost of two squarings and a single multiplication 
in GF(p), where as customary we do not count the cost of additions in GF (p). 
Multiplication in GF(p 2 ) can be done using four multiplications in GF (p). These 
straightforward results can simply be improved to three squarings and three 
multiplications, respectively, by using a Karatsuba-like approach (cf. fTTil l: to 
compute (aqa + X2 a 2 ) * (yict + 1/2 a 2 ) one computes Xi * y±, X2 * 2/2, and (aq + 
X2) * (3/1 + 1/2), after which aq * 2/2 + aq * y\ follows using two subtractions. 
Furthermore, from (aqa + aqa 2 ) 2 = aq (aq — 2aq)a + aq(aq — 2aq)a 2 it follows 
that squaring in GF(p 2 ) can be done at the cost of two multiplications in GF(p). 
Under the reasonable assumption that a squaring in GF(p) takes 80% of the 
time of a multiplication in GF(p) (cf. Pj), two multiplications is faster than three 
squarings. Finally, to compute x*z — y*z p £ GF(p 2 ) for x,y,z £ GF (p 2 ) four 
multiplications in GF(p) suffice, because, with x = aqa + aqa, y = 2/1 a + 2/2 a , 
and z = Z\a + aqa 2 , it is easily verified that x * z — y * z p = (21(2/1 — aq — 2/2) + 
aq(aq — aq + y 2 ))a + (21(2:1 — aq + 2/1) + 22(2/2 — aq — y\))a 2 . Thus we have the 
following. 

Lemma 2.1.1 Let x, y, z £ GF(p 2 ) with p = 2 mod 3 . 
i. Computing x p is for free. 



4 



Arjen K. Lenstra and Eric R. Verheul 



ii. Computing x 2 takes two multiplications in GF (p). 

Hi. Computing x * y takes three multiplications in GF(p). 

iv. Computing x * z — y * z p takes four multiplications in GF(p) . 

For comparison purposes we review the following well known results. 

Lemma 2.1.2 Let x,y,z £ GF(p 6 ) with p = 2 mod 3, and let a, b £ Z with 
0 < a, b < p. Assume that a squaring in GF(p) takes 80% of the time of a 
multiplication in GF(p) (cf. W- 

i. Computing x 2 takes 14.4 multiplications in GF(p). 

ii. Computing x * y takes 18 multiplications in GF(p). 

Hi. Computing x a takes an expected 23.41og 2 (a) multiplications in GF(p). 
iv. Computing x a * y b takes an expected 27.9 log 2 (max(a, b)) multiplications in 
GF(p). 

Proof. Since p = 2 mod 3, GF(p 6 ) can be represented using an optimal normal 
basis over GF(p) so that the ‘reduction’ modulo the minimal polynomial does 
not require any multiplications in GF(p). Squaring and multiplication in GF(p 6 ) 
can then be done in 18 squarings and multiplications in GF(p), respectively, 
from which i and ii follow. For Hi we use the ordinary square and multiply 
method, so we get log 2 (a) squarings and an expected 0.51og 2 (a) multiplica- 
tions in GF(p 6 ). For iv we use standard multi-exponentiation, which leads to 
log 2 (max(a, b)) squarings and 0.75 log 2 (max(a, b)) multiplications in GF(p 6 ). 



2.2 Traces 

The conjugates over GF(p 2 ) of h £ GF(p 6 ) are h, h p2 , and h pi . The trace Tr(h ) 
over GF(p 2 ) of h £ GF(p 6 ) is the sum of the conjugates over GF(p 2 ) of h, i.e., 
Tr(h ) = h+h p +h p . Because the order of h £ GF(p 6 )* divides p 6 — 1, i.e., p 6 = 1 
modulo the order of h, we have that Tr{h) p2 = Tr(h ), so that Tr{h) £ GF(p 2 ). 
For /ii,/i 2 £ GF(p 6 ) and c £ GF(p 2 ) we have that Tr(hi + h 2 ) = Tr{hi)+Tr{h 2 ) 
and Tr(c * hi) = c* Tr(hi). That is, the trace over GF(p 2 ) is GF(p 2 )-linear. 
Unless specified otherwise, conjugates and traces in this paper are over GF(p 2 ). 

The conjugates of g of order dividing p 2 — p+ 1 are g , p p_1 and g~ p because 
p 2 = p — 1 mod p 2 — p + 1 and p 4 = — p mod p 2 — p + 1. 

Lemma 2.2.1 The roots of X 3 — Tr(g)X 2 + Tr{g) p X — 1 are the conjugates 
of g- 

Proof. We compare the coefficients of X 3 — Tr(g)X 2 + Tr(g) p X — 1 with the 
coefficients of the polynomial (X — g)(X — p p_1 )(X — g~ p ). The coefficient of X 2 
follows from g+g p ~ 1 +g~ p = Tr(g ), and the constant coefficient from g 1 +P~ 1 ~P = 
1. The coefficient of X equals g * g p ~ x + g * g~ p + g p ~ x * g~ p = g p + p 1_p + p _1 - 
Because 1 — p = — p 2 mod p 2 — p + 1 and —1 = p 2 — p mod p 2 — p + 1, we find 
that g p + <? 1-p + p -1 = g p + g~ p + g p ~ p = {g + g~ p + p p_1 ) p = Tr{g ) p , which 
completes the proof. 



The XTR Public Key System 



5 



Similarly (and as proved below in Lemma[ EQ]**), the roots of X 3 — Tr(g n )X 2 + 
Tr(g n ) p X — 1 are the conjugates of g n . Thus, the conjugates of g n are fully 
determined by X 3 — Tr(g n )X 2 + Tr(g n ) p X — 1 and thus by Tr(g n ). Since 
Tr(g n ) £ GF (p 2 ) this leads to a compact representation of the conjugates of g n . 
To be able to use this representation in an efficient manner in cryptographic pro- 
tocols, we need an efficient way to compute Tr(g n ) given Tr(g). Such a method 
can be derived from properties of g and the trace function. However, since we 
need a similar method in a more general context in Section 0 we consider the 
properties of the polynomial X 3 — cX 2 + c p X — 1 for general c £ GF(p 2 ) (as 
opposed to c’s that are traces of powers of g). 



2.3 The Polynomial F(c,X) 

Definition 2.3.1 For c £ GF(p 2 ) let F(c,X ) be the polynomial X 3 — cX 2 + 
c p X — 1 £ GF(p 2 )[X'] with (not necessarily distinct) roots ho, hi, h 2 in GF(p 6 ), 
and let r(c, n) = hf; + /i" + h 2 for n £ Z. We use the shorthand c n = r(c, n). 

In this subsection we derive some properties of F(c,X) and its roots. 

Lemma 2.3.2 

i. c = Ci . 

ii. ho * hi * h 2 = 1. 

Hi. h^ * h^ + h^ * h 2 + hi * h 2 = c_„ for n £ Z. 

iv. F(c, h~ p ) = 0 for j = 0, 1, 2. 

v. c- n = c np = c p for n £ Z. 

vi. Either all hj have order dividing p 2 — p+ 1 and >3 or all hj £ GF(p 2 ). 

vii. c n £ GF(p 2 ) for n £ Z. 

Proof. The proofs of i and ii are immediate and in follows from ii. From 
F(c, hj) = ft 3 — ch 2 + c p hj — 1 = 0 it follows that hj yf 0 and that F(c, hj) p = 
h^ p — c p hj P + c p2 h p — 1 = 0. With c p2 = c and hj yf 0 it follows that — h^ p (h~ 3p — 
chj 2p + c p h~ p — 1) = —h^ p * F{c, h~ p ) = 0, which proves iv. 

From iv it follows, without loss of generality, that either hj = hff p for j = 

0,1,2, or ho = ho P , hi = hf p , and /12 = hf p , or that hj = h~ p 1 mo a 3 f° r 

j = 0, 1, 2. In either case v follows. Furthermore, in the first case all hj have 

order dividing p + 1 and are thus in GF(p 2 ). In the second case, ho has order 
_ 2 _ 2 

dividing p+ 1, hi = h 2 p = h p and h 2 = h x p = h p so that hi and h 2 both have 
order dividing p 2 — 1. It follows that they are all again in GF(p 2 ). In the last case 

it follows from 1 = h 0 * hi * h 2 that 1 = ho* hif p * hff p = ho* h^ * hff p = h^ ~ p+1 
so that ho and similarly hi and h 2 have order dividing p 2 — p + 1. If either one, 
say h 0 , has order at most 3, then h 0 has order 1 or 3 since p 2 — p + 1 is odd. 
It follows that the order of ho divides p 2 — 1 so that ho £ GF(p 2 ). But then hi 
and h 2 are in GF(p 2 ) as well, because hj = h~ p x mod 3 . It follows that in the last 
case either all hj have order dividing p 2 — p+ 1 and > 3, or all hj are in GF(p 2 ), 
which concludes the proof of vi. 



6 



Arjen K. Lenstra and Eric R. Verheul 



If all hj G GF(p 2 ), then vii is immediate. Otherwise F(c,X ) is irreducible 
and its roots are the conjugates of h 0 . Thus c n = Tr(hf;) G GF(p 2 ) (cf. 12.211 . 
This concludes the proof of vii and Lemma EDI 

Remark 2.3.3 It follows from Lemma I TTH vi that F(c,X) G GF(p 2 )[A] is 
irreducible if and only if its roots have order dividing p 2 — p + 1 and > 3. 



Lemma 2.3.4 

i- Cu- \-v — Cu * C v * C u — V T C u —2v fvT U, V G Z. 

ii. F{cn, hj 1 ) = 0 for j = 0, 1, 2 and n G Z. 

Hi. F(c,X) is reducible over GF(p 2 ) if and only if c p +\ G GF(p). 

Proof. With the definition of c n , = c_ ra (cf. Lemma 12.3.21 ?;). and Lemma 
ITT 7 ?! ii, the proof of i follows from a straightforward computation. 

For the proof of ii we compute the coefficients of (X — hg)(X — h™){X — hlf). 
We find that the coefficient of A' 2 equals — c n and that the constant coefficient 
equals — fig = —(ho*hi*h 2 ) n = — 1 (cf. Lemma. 12 .3 .21 mV The coefficient 

of X equals * hf + * hlf + h™ * h% = c_„ = (cf. Lemma, L.3.2l m and v). 

It follows that (X — h%)(X — hf)(X — hlf) = F(c n ,X) from which ii follows. 

If F(c, X) is reducible then all hj are in GF(p 2 ) (cf. Remark 12.3.31 and Lemma 
12.3.21 wb It follows that h (p+1)p = h p+1 so that h p+1 G GF(p) for j = 0, 1, 2 and 
c p+ 1 G GF(p). Conversely, if c p+ \ G GF(p), then c^ +1 = c p+ \ and F(c p+ 1 , A) = 
A 3 — Cp+iA 2 + c p+ iX — 1. Thus, F(c p +i, 1) = 0. Because the roots of F(c p+ \,X) 
are the (p + l) st powers of the roots of F(c,X) (cf. iv), it follows that F(c,X) 
has a root of order dividing p + 1, i.e., an element of GF(p 2 ), so that F(c, X) is 
reducible over GF(p 2 ). This proves Hi. 

Lemma E33« and Lemma ED- lead to a fast algorithm to compute c n for 
any n G Z. 

Corollary 2.3.5 Let c, c n _i, c n , and c n +i be given. 

i. Computing c 2n = c 2 — takes two multiplications in GF(p). 

ii. Computing c n + 2 = c * c n +i — c p * c n + c n -\ takes four multiplications in 
GF(p). 

Hi. Computing c 2n -\ = c n _i * c n — c p * c p + c^ +1 takes four multiplications in 
GF(p). 

iv. Computing c 2n +i = Cn+i * c n — c * c p + takes four multiplications in 
GF(p). 

Proof. The identities follow from Lemma. Ti. 3.21 7; and Lemma. L. 3.4t h with u = 
v = n and co = 3 for i, with u = n + 1 and v = 1 for ii, u = n — 1, v = n for Hi, 
and u = n + 1, v = n for iv. The cost analysis follows from Lemma 12.1.1 1 



Definition 2.3.6 Let S n (c) = (c„_i, c n , c n+ \) G GF(p 2 ) 3 . 



The XTR Public Key System 



7 



Algorithm 2.3.7 (Computation of S n (c) given c) If n < 0, apply this algo- 
rithm to — n and use Lemma r2.3.2h ;. If n = 0, then Sq(c) = (c p , 3, c) (cf. Lemma 
I2.3.21 ?;). If n = 1, then 5i(c) = (3,c, c 2 — 2c p ) (cf. Corollary 12.3.51 71b If n = 2, 
use Corollary 12 . 3. bl ii and S'i(c) to compute C 3 and thereby S 2 (n ) . Otherwise, to 
compute S n (c) for n > 2 let m = n. If m is even, then replace m by in — 1. Let 
£ t (c) = S , 2 t+i(c) for t £ Z, k = 1, and compute S k (c ) = S^c) using Corollary 
EZS1 ti and £( 2 ). Let (m — l )/2 = m j2 J with £ {0,1} and TO r = 1 . 

For j = r — 1, r — 2, . . . , 0 in succession do the following: 

- If rrij = 0 then use S k (c) = (c 2k , c 2k+1 ,c 2k+2 ) to compute S 2 k(c) = (c 4 fc , 
C 4 fe+i, C 4 fc+ 2 ) (using Corollary 12 . 3. bl i for 04 ^, and 04^+2 and Corollary 12.3. bl in 
for C 4 fe+i) and replace k by 2k. 

- If nrij = 1 then use S k (c) = (c 2fc , c 2fc+ i , c 2fc+2 ) to compute S 2k+ i(c) = 
(c 4 fc +2 ,C4fc + 3,C4fc+4) (using Corollary 12. 3. bi t for c 4fc+2 and c 4fc+ 4 and Corol- 
lary Enjw for 04 ^+ 3 ) and replace k by 2k + 1 , 

After this iteration we have that 2k + 1 = m so that S m (c) = S k (c). If n is even 
use S m (c) = (c m _i,c m ,c m+ i) to compute S' m+ i(c) = (c m , c m+1 , c m+2 ) (using 
Corol 1 a,r v 12 . 3 . bl ?’?’) and replace m by m + 1. As a result we have S n (c) = S m (c). 



Theorem 2.3.8 Given the sum c of the roots of F(c,X), computing the sum c n 
of the n th powers of the roots takes 81og 2 (n) multiplications in GF(p). 

Proof. Immediate from Algorithm 12. 3. 71 a, nd Corollary 12. 3. 51 

Remark 2.3.9 The only difference between the two different cases in Algorithm 
EH2](i.e., if the bit is off or on) is the application of Corol 1 a.rv 12 . 3 . 51 Hi if the bit 
is off and of Corollary iv if the bit is on. The two computations involved, 
however, are very similar and take the same number of instructions. Thus, the 
instructions carried out in Algorithm 12.3.71 for the two different cases are very 
much alike. This is a rather unusual property for an exponentiation routine and 
makes Algorithm 12.3.71 much less susceptible than usual exponentiation routines 
to environmental attacks such as timing attacks and Differential Power Analysis. 

2.4 Computing with Traces 

It follows from Lemma ^. 2.1 l and Tjemma f2.3.4l ?bl that 

S n (Tr(g)) = (Tr(g n ~ 1 ),Tr(g n ), Tr(g n+1 )) 

(cf. Definition 12 . 3. (ill . Furthermore, given Tr(g) Algorithm 12.3. /I can be used to 
compute S n (Tr(g)) for any n. Since the order of g equals q this takes 8 log 2 (n mod 
q) multiplications in GF(p) (cf. Theorem 12.3.8^ . According to Lemma. 12.1 .21 m 
computing g n given g can be expected to take 23.41og 2 (g) multiplications in 
GF(p). Thus, computing Tr(g n ) given Tr{g) is almost three times faster than 
computing g n given g. Furthermore, Tr(g n ) £ GF(p 2 ) whereas g n £ GF(p 6 ). 
So representing, storing, or transmitting Tr(g n ) is three times cheaper than it 
is for g n . Unlike the methods from for instance j2J, we do not assume that p 



Arjen K. Lenstra and Eric R. Verheul 



has a special form. Using such primes leads to additional savings by making the 
arithmetic in GF(p) faster (cf. Algorithm tkl.il) . 

Thus, we replace the traditional representation of powers of g by their traces. 
The ability to quickly compute Tr(g n ) based on Tr(g) suffices for the imple- 
mentation of many cryptographic protocols (cf. Section 0). In some protocols, 
however, the product of two powers of g must be computed. For the standard 
representation this is straightforward, but if traces are used, then computing 
products is relatively complicated. We describe how this problem may be solved 
in the cryptographic applications that we are aware of. Let Tr(g) £ GF(p 2 ) and 
Sk(Tr(g)) £ GF(p 2 ) 3 (cf. Definition I2.3.(il) be given for some secret integer k 
(the private key) with 0 < k < q. We show that Tr(g a * g bk ) can be computed 
efficiently for any a,b £ Z. 

( 00 1 \ f C n — 2 C n — 1 c n \ 

1 0 — c p and M„(c) = I c„_i c n c n+ i be 
0 1 C J y C n (: ri . 1 C n -\- 2 J 

3 x 3-matrices over GF(p 2 ) with c and c n as in Definition 12.3.1 1 and let C(V) 
denote the center column of a 3 x 3 matrix V. 



Lemma 2.4.2 S n (c) = S m (c) * A(c) n m and M n (c) = M m (c ) * A(c) n m for 
n, m £ Z. 

Proof. For n — m = 1 the first statement is equivalent with Goro11a,rv l2.;i., u )l ?». 
The proof follows by induction to n — m. 

Corollary 2.4.3 c n = S m {c) * C(A(c)" -m ). 



Lemma 2.4.4 The determinant of Mq(c) equals D = c 2p+ 2 + 18c p+1 — 4(c 3p + 
c 3 ) — 27 G GF(p) . If D ± 0 then 

. / 2c 2 - 6c p 2 c 2p + 3c - c p+2 c p+1 - 9 \ 

Mo(c)" 1 = — * 2c 2p + 3c - c p+2 (c 2 - 2c p ) p+1 - 9 (2c 2p + 3c - c p+2 ) p . 

D \ c p+1 - 9 (2c 2p + 3c - c p+2 ) p (2c 2 - 6c p ) p J 

Proof. This follows from a simple computation using Lemma f2.3.2l 7; and Corol- 
lary combined with the fact that x £ GF(p) if x p = x. 

Lemma 2.4.5 det {M 0 (Tr(g))) = ( Tr(g p+1 ) p - Tr(g p+1 )) 2 ± 0. 

Proof. This follows by observing that M 0 (Tr(g)) is the product of the Vander- 
/ 9~ X 9~ p2 9~ p4 \ 

monde matrix 11 1 and its inverse, and therefore invertible. The 

\ 9 9 p2 9 pi / 

determinant of the Vandermonde matrix equals Tr(g p+1 ) p — Tr(g p+1 ). 

Lemma 2.4.6 A(Tr(g)) n = Afo(2Y(<7)) _1 * M n (Tr(g)) can be computed in a 
small constant number of operations in GF(p 2 ) given Tr(g) and S n (Tr(g)). 



The XTR Public Key System 



9 



Proof. Tr(g n±2 ) and thus M n (Tr{g)) can be computed from S n (Tr(g)) using 
Corollarv l2.3.5l ii. The proof follows from Lemmas and ETTT1 ?;. 

Corollary 2.4.7 C(A(Tr(g)) n ) = M^Tifg))- 1 * (S n (Tr(g))) T . 



Algorithm 2.4.8 (Computation of Tr(g a * g bk )) Let Tr(g), Sk{Tr(g )) (for 
unknown k), and a, 6 G Z with 0 < a, b < q be given. 

1. Compute e = a/b mod q. 

2. Compute S e (Tr{g)) (cf. Algorithm IL3.7I) . 

3. Compute C(A{Tr{g)) e ) based on Tr(g) and S e (Tr(g)) using Corollarv l2.4.7l 

4. Compute Tr(g e+k ) = Sk{Tr(g)) * C(A(Tr(g)) e ) (cf. Corollary 12.4.311 . 

5. Compute Sb(Tr(g e+k )) (cf. Algorithm 12.3.71 . and return TV(g( e+fc ) b ) 
= Tr(g a *g bk ). 



Theorem 2.4.9 Given M 0 (Tr(g))~ 1 , Tr{g), and Sk{Tr{g )) = ( Tr(g k ~ 1 ), 
Tr{g k ) ,Tr(g k+1 )) the trace Tr(g a * g bk ) of g a * g bk can be computed at a cost of 
8 log 2 (a/b modg) + 81og 2 (6) + 34 multiplications in GF(p). 

Proof. The proof follows from a straightforward analysis of the cost of the 
required matrix vector operations and Theorem 12.3.81 

Assuming that Mo(Tr(g))~ 1 is computed once and for all (at the cost of a small 
constant number of operations in GF(p 2 )), we find that Tr(g a * g bk ) can be 
computed at a cost of 161og 2 (g) multiplications in GF (p). According to Lemma 
12.1.21 iv this computation would cost about 27.91og 2 (g) multiplications in GF(p) 
using the traditional representation. Thus, in this case the trace representation 
achieves a speed-up of a factor 1.75 over the traditional one. We conclude that 
both single and double exponentiations can be done substantially faster using 
traces than using previously published techniques. 



3 Parameter Selection 

3.1 Finite Field and Subgroup Size Selection 

We describe fast and practical methods to select the field characteristic p and 
subgroup size q such that q divides p 2 — p + 1. Denote by P and Q the sizes 
of the primes p and q to be generated, respectively. To achieve security at least 
equivalent to 1024-bit RSA, 6 P should be set to about 1024, i.e., P ~ 170, and 
Q can for instance be set at 160. Given current cryptanalytic methods we do 
not recommend choosing P much smaller than Q. 

Algorithm 3.1.1 (Selection of q and ‘nice’ p) Find r G Z such that q = 
r 2 — r + 1 is a Q-bit prime, and next find k G Z such that p = r + k * q is a P-bit 
prime that is 2 mod 3. 



10 



Arjen K. Lenstra and Eric R. Verheul 



Algorithm 13.1 .11 is quite fast and it can be used to find primes p that satisfy 
a degree two polynomial with small coefficients. Such p lead to fast arithmetic 
operations in GF(p). In particular if the search for k is restricted to k = 1 (i.e., 
search for an r such that both r 2 — r + 1 and r 2 + 1 are prime and such that 
r 2 + 1 = 2 mod 3) the primes p have a very nice form; note that in this case 
r must be even and p = 1 mod 4. On the other hand, such ‘nice’ p may be 
undesirable from a security point of view because they may make application 
of the Discrete Logarithm variant of the Number Field Sieve easier. Another 
method to generate p and q that does not have this disadvantage (and thus 
neither the advantage of fast arithmetic modulo p) is the following. 

Algorithm 3.1.2 (Selection of q and p) First, select a Q-bit prime q = 
7 mod 12. Next, find the roots ri and r 2 of A' 2 — X + 1 mod q. It follows from 
<7 = 1 mod 3 and quadratic reciprocity that ri and r 2 exist. Since q = 3 mod 4 
they can be found using a single (( q + l)/4) th powering modulo q. Finally, find 
a k £ Z such that p = Ti + k * q is a P-bit prime that is 2 mod 3 for i = 1 or 2. 

The run time of Algorithms 1.3, 1 , H and 13,1 .’Zl is dominated by the time to find the 
primes q and p. A precise analysis is straightforward and left to the reader. 

3.2 Subgroup Selection 

We consider the problem of finding a proper Tr(g) for an element g £ GF(p 6 ) 
of order q dividing p 2 — p+ 1 and > 3. Note that there is no need to find g itself, 
finding Tr(g) suffices. Given Tr(g) for an unspecified g, a subgroup generator 
can be computed by finding a root in GF(p 6 ) of F(Tr(g), X). We refer to this 
generator as g and to the order q subgroup (g) as the XTR group. Note that all 
roots of F{Tr{g),X) lead to the same XTR group. 

A straightforward approach to find Tr(g) would be to find a third degree ir- 
reducible polynomial over GF(p 2 ), use it to represent GF(p 6 ), to pick an element 
h £ GF(p 6 ) until /i(p 6_1 )/9 ^ 1, to take g = /ifp 6-1 )/^ and to compute Tr{g). 
Although conceptually easy, this method is less attractive from an implementa- 
tion point of view. A faster method that is also easier to implement is based on 
the following lemma. 

Lemma 3.2.1 For a randomly selected c £ GF(p 2 ) the probability that P(c, X) £ 
GF(p 2 )[X] is irreducible is about one third. 

Proof. This follows from a straightforward counting argument. About p 2 — p 
elements of the subgroup of order p 2 — p + 1 of GF(p 6 )* are roots of monic irre- 
ducible polynomials of the form F(c,X) (cf. Lemma [2.2.1 1 a,nd Lemma tGI.dl rab 
Since each of these polynomials has three distinct roots, there must be about 
(p 2 —p)/3 different values for c in GF(p 2 )\GF(p) such that F(c, X) is irreducible. 

With Remark EETTfl it follows that it suffices to pick a c £ GF(p 2 ) until F(c, X) is 
irreducible and until C( p 2 _ p+1 y q ^ 3 (cf. Definition 12.3.11) . and to take Tr(g) = 
C( p 2 _ p+ iy q . The resulting Tr(g ) is the trace of some g of order q , but explicit 
computation of g is avoided. As shown in } 1 .3j the irreducibility test for F[c , X) £ 



The XTR Public Key System 



11 



GF(p 2 )[X] can be done very fast, but, obviously, it requires additional code. 
We now present a method that requires hardly any additional code on top of 
Algorithm 12.3.71 

Algorithm 3.2.2 (Computation of Tr(g)) 

1. Pick c £ GF(p 2 )\GF(p) at random and compute c p+ i using Algorithm 12.3.71 

2. If c v+ 1 £ GF(p) then return to Step 1. 

3. Compute C( p 2_ p+1 y q using Algorithm 12.3.71 

4. If C( p 2 _ p+1 w 9 = 3, then return to Step 1. 

5. Let Tr(g) Gp 2— p+i)/*? - 

Theorem 3.2.3 Algorithm 1,1 ff. computes an element of GF(p 2 ) that equals 
Tr{g) for some g £ GF(p 6 ) of order q. It can be expected to require 3 q/(q — 1) 
applications of Algorithm \2. 3. \ with n = p + 1 and q/(q — 1) applications with 
n = (p 2 -p+ l)/q. 

Proof. The correctness of Algorithm 13.2.21 follows from the fact that F(c,X) is 
irreducible if c p+ 1 ^ GF(p) (cf. Lemma b.3.4l m). The run time estimate follows 
from Lemma ll.'l 1 1 and the fact that c p+ 1 fL GF(p) if F{c,X ) is irreducible (cf. 
Lemma ITTH in). 

In [TTij we present an even faster method to compute Tr(g) if p ^ 8 mod 9. 

3.3 Key Size 

The XTR public key data contain two primes p and q as in ti ll and the trace 
Tr(g) of a generator of the XTR group (cf. 13.21) . In principle the XTR public 
key data p, q , and Tr(g) can be shared among any number of participants, just 
as in DSA (and EC-DSA) finite field (and curve), subgroup order, and subgroup 
generator may be shared. Apart from the part that may be shared, someone’s 
XTR public key may also contain a public point Tr(g k ) for an integer k that 
is kept secret (the private key). Furthermore, for some applications the values 
Tr(g k ~ 1 ) and Tr(g k+1 ) are required as well (cf. Section EJ. In this section we 
discuss how much overhead is required for the representation of the XTR public 
key in a certificate, i.e., on top of the user ID and other certification related bits. 

The part ( p,q,Tr(g )) that may be shared causes overhead only if it is not 
shared. In that case, (p, q, Tr(g )) may be assumed to belong to a particular user 
or group of users in which case it is straightforward to determine (p, q,Tr(g)), 
during initialization, as a function of the user (or user group) ID and a small 
number of additional bits. For any reasonable choice of P and Q (cf. 13. 1 1) the 
number of additional bits on top of the user ID, i.e., the overhead, can easily 
be limited to 48 (6 bytes) (cf. E3), at the cost of a one time application of 
Algorithm Ed with n = (p 2 —p+l)/qby the recipient of the public key data. 

We are not aware of a method to reduce the overhead caused by a user’s public 
point Tr(g k ) £ GF(p 2 ). Thus, representing Tr(g k ) in a certificate requires rep- 
resentation of 2 P bits. The two additional values Tr(g k ~ 1 ),Tr(g k+1 ) £ GF(p 2 ), 
however, can be represented using far fewer than 4P bits, at the cost of a very 
reasonable one time computation by the recipient of the public key. 



12 



Arjen K. Lenstra and Eric R. Verheul 



This can be seen as follows. Since det(A(c) fe ) = 1, the equation from Lemma 
CT leads to a third degree equation in Tr(g k 1 ), given Tr(g), Tr(g k ), and 
Tr(g k+1 ), by taking the determinants of the matrices involved. Thus, at the 
cost of a small number of p th powerings in GF(p 2 ), Tr(g k ~ 1 ) can be deter- 
mined based on Tr(g), Tr(g k ), and Tr(g k+1 ) and two bits to indicate which 
of the roots equals Tr(g k ~ 1 ). In we present, among others, a conceptually 
more complicated method to determine Tr(g k ^ 1 ) based on Tr(g ), Tr(g k ), and 
Tr(g k+1 ) that requires only a small constant number of operations in GF(p), and 
a method to quickly determine Tr(g k+1 ) given Tr(g) and Tr(g k ) that works if 
p ^ 8 mod 9. Because this condition is not unduly restrictive we may assume 
that the two additional values Tr(g k ~ 1 ),Tr(g k+1 ) G GF(p 2 ) do not have to be 
included in the XTR public key data, assuming the public key recipient is able 
and willing to carry out a fast one time computation given the XTR public 
key data (p,q,Ti'(g) : Ti'(g k )). If this computation if infeasible for the recipient, 
then Tr{g k+1 ) must be included in the XTR public key data; computation of 
Tr(g k ^ 1 ) then takes only a small constant number of operations in GF (p). 

4 Cryptographic Applications 

XTR can be used in any cryptosystem that relies on the (subgroup) discrete 
logarithm problem. In this section we describe some applications of XTR in 
more detail: Diffie-Hellman key agreement in 14.11 ElGamal encryption in 14.21 
and Nyberg-Rueppel message recovery digital signatures in l4..4L and we compare 
XTR to RSA and ECC (cf. jHH). 

4.1 XTR-DH 

Suppose that Alice and Bob who both have access to the XTR public key data 
p , q, Tr(g) want to agree on a shared secret key K. This can be done using the 
following XTR version of the Diffie-Hellman protocol: 

1. Alice selects at random aGZ,l<a<g~2, uses Algorithm f2.3.YI to 
compute S a (Tr(g)) = (Tr(g a ~ 1 ),Tr(g a ),Tr(g a+1 )) G GF(p 2 ) 3 , and sends 
Tr(g a ) G GF(p 2 ) to Bob. 

2. Bob receives Tr(g a ) from Alice, selects at random 6 G Z, 1 < b < q — 2, 
uses Algorithm EI^3to compute Sb(Tr(g)) = (Tr(g b ~ 1 ),Tr(g b ) 1 Tr(g b+1 )) G 
GF(p 2 ) 3 , and sends Tr(g b ) G GF(p 2 ) to Alice. 

3. Alice receives Tr(g b ) from Bob, uses A 1 gori th m 12 . .4 . / 1 to compute S a {Tr(g b )) 
= (TV(f/ a_1 ) b ), Ti'(g ab ), Tr(g( a+1 ^ b )) G GF(p 2 ) 3 , and determines K based 
on Tr(g ab ) G GF(p 2 ). 

4. Bob uses Algorithm I2..4. Y\ to compute Sb(Tr(g a )) = (Ti'(g a ( b ~ 1 ^),Tr(g ab ), 
Tr(g a ( b+1 ' > )) G GF(p 2 ) 3 , and determines K based on Tr(g ab ) G GF(p 2 ). 

The communication and computational overhead of XTR-DH are both about 
one third of traditional implementations of the Diffie-Hellman protocol that are 
based on subgroups of multiplicative groups of finite fields, and that achieve the 
same level of security (cf. Subsection 12.41) . 



The XTR Public Key System 



13 



4.2 XTR-ElGamal Encryption 

Suppose that Alice is the owner of the XTR public key datap, q , Tr(g ), and that 
Alice has selected a secret integer k, computed Sk{Tr(g )), and made public the 
resulting value Tr{g k ). Given Alice’s XTR public key data (p, q,Tr(g),Tr(g k )), 
Bob can encrypt a message M intended for Alice using the following XTR version 
of the ElGamal encryption protocol: 

1. Bob selects at random b£Z, l<b<q — 2, and uses Algorithm 12.3.71 to 
compute Sb(Tr(g)) = (Tr(g b ~ 1 ), Tr(g b ), Tr(g b+1 )) £ GF(p 2 ) 3 . 

2. Bob uses Algorithm EXD to compute S b {Tr(g k )) = (Tr(g<- b -V k ),Tr(c? ,k ), 

7>( 5 (b+i)fc)) e GF(p 2 ) 3 . 

3. Bob determines a symmetric encryption key K based on Tr(g bk ) £ GF(p 2 ). 

4. Bob uses an agreed upon symmetric encryption method with key I\ to en- 
crypt M, resulting in the encryption E. 

5. Bob sends ( Tr(g b ),E ) to Alice. 

Upon receipt of ( Tr(g b ), E), Alice decrypts the message in the following way: 

1 . Alice uses Algorithm 12 . 3. 71 to compute Sk(Tr(g b )) = (Tr(g b< ' k ~ 1 ^),Tr(g bk ), 
Tr(g b(k+1 '))) £ GF(p 2 ) 3 . 

2. Alice determines the symmetric encryption key K based on Tr(g bk ) £ GF(p 2 ). 

3. Alice uses the agreed upon symmetric encryption method with key K to 
decrypt E, resulting in the encryption M. 

The message (Tr(g b ), E) sent by Bob consists of the actual encryption E, whose 
length strongly depends on the length of M, and the overhead Tr(g b ) £ GF(p 2 ), 
whose length is independent of the length of M. The communication and com- 
putational overhead of XTR-ElGamal encryption are both about one third of 
traditional implementations of the ElGamal encryption protocol that are based 
on subgroups of multiplicative groups of finite fields, and that achieve the same 
level of security (cf. Subsection 12.41 . 

Remark 4.2.1 XTR-ElGamal encryption as described above is based on the 
common hybrid version of ElGamal’s method, i.e., where the key K is used in 
conjunction with an agreed upon symmetric key encryption method. In more 
traditional ElGamal encryption the message is restricted to the key space and 
‘encrypted’ using, for instance, multiplication by the key, an invertible operation 
that takes place in the key space. In our description this would amount to re- 
quiring that M £ GF(p 2 ), and by computing E as K * M £ GF(p 2 ). Compared 
to non-hybrid ElGamal encryption, XTR saves a factor three on the length of 
both parts of the encrypted message, for messages that fit in the key space (of 
one third of the ‘traditional’ size). 

Remark 4.2.2 As in other descriptions of ElGamal encryption it is implicitly 
assumed that the first component of an ElGamal encrypted message represents 
Tr(g b ), i.e., the conjugates of a power of g. This should be explicitly verified in 
some situations, by checking that Tr(g b ) £ GF (p 2 ) \ GF(p), that Tr(g b ) / 3, 
and by using Algorithm 12.3.71 to compute S q (Tr(g b )) = (Tr(g b ( q 1 ' > ),Tr(g bq ), 
Tr{g b{ ' q+l ))) and to verify that Tr{g bq ) = 3. This follows using methods similar 
to the ones presented in Section 0 



14 



Arjen K. Lenstra and Eric R. Verheul 



4.3 XTR-Nyberg-Rueppel Signatures 

Let, as in !4.21 Alice’s XTR public key data consist of p, q , Tr(g), and Tr(g k ). Fur- 
thermore, assume that TV(y fc_1 ) and Tr(g k+1 ) (and thus Sk{Tr(g))) are avail- 
able to the verifier, either because they are part of the public key, or because they 
were reconstructed by the verifier (either from (p, q, Tr(g), Tr(g k ), Tr(g k+1 )) or 
from (p, q , Tr(g),Tr(g k ))). We describe the XTR version of the Nyberg-Rueppel 
(NR) message recovery signature scheme, but XTR can also be used in other 
‘ElGamal-like’ signature schemes. To sign a message M containing an agreed 
upon type of redundancy, Alice does the following: 

1. Alice selects at random a £ Z, 1 < a < q — 2, and uses Algorithm I2.3.YI to 
compute S a (Tr(g)) = (Tr(g a ~ 1 ),Tr(g a ) 1 Tr(g a+1 )) £ GF(p 2 ) 3 . 

2. Alice determines a symmetric encryption key K based on Tr(g a ) £ GF(p 2 ). 

3. Alice uses an agreed upon symmetric encryption method with key K to 
encrypt M, resulting in the encryption E. 

4. Alice computes the (integer valued) hash h of E. 

5. Alice computes s = (k* h + a) mod q £ {0, 1, . . . , q — 1}. 

6. Alice’s resulting signature on M is ( E,s ). 

To verify Alice’s signature (E, s) and to recover the signed message M, the 
verifier Bob does the following. 

1. Bob checks that 0 < s < q\ if not failure. 

2. Bob computes the hash h of E. 

3. Bob replaces h by —h mod q £ {0, 1, . . . , q — 1}. 

4. Bob uses Algorithm 12.4.81 to compute Tr(g s * g hk ) based on Tr(g) and 
S k (Tr(g)). 

5. Bob uses Tr(g s * g hk ) (which equals Tr(g a )) to decrypt E resulting in M. 

6. The signature is accepted 4=8 M contains the agreed upon redundancy. 

XTR-NR is considerably faster than traditional implementations of the NR 
scheme that are based on subgroups of multiplicative groups of finite fields of 
the same security level. The length of the signature is identical to other variants 
of the hybrid version of the NR scheme (cf . Remark 14 . '1. II) : an overhead part of 
length depending on the desired security (i.e., the subgroup size) and a message 
part of length depending on the message itself and the agreed upon redundancy. 
Similar statements hold for other digital signature schemes, such as DSA. 



4.4 Comparison to RSA and ECC 

We compare XTR to RSA and ECC. For the RSA comparison we give the run 
times of 1020-bit RSA and 170-bit XTR obtained using generic software. For 
ECC we assume random curves over prime fields of about 170-bits with a curve 
subgroup of 170-bit order, and we compare the number of multiplications in 
GF(p) required for 170-bit ECC and 170-bit XTR applications. This ‘theoretical’ 
comparison is used because we do not have access to ECC software. 

If part of the public key is shared (ECC or XTR only), XTR and ECC public 
keys consist of just the public point. For ECC its y-coordinate can be derived 



The XTR Public Key System 



15 



from the ^-coordinate and a single bit. In the non-shared case, public keys may 
be ID-based or non-ID-basecQ For ECC, the finite field, random curve, and 
group order take ~ 595 bits, plus a small number of bits for a point of high 
order. Using methods similar to the one alluded to in Subsection IM.MI this can be 
reduced to an overhead of, say, 48 bits (to generate curve and field based on the 
ID and 48 bits) plus 85 bits for the group order information. For XTR the sizes 
given in Table 1 follow from Subsection 15.51 For both RSA and XTR 100 ran- 



Table 1. RSA, XTR, ECC key sizes and RSA, XTR run times. 





shared 

keysize 


ID-based 

keysize 


non-ID-based 

keysize 


key 

selection 


encrypting 

(verifying) 


decrypting 

(signing) 


1020-bit RSA 


n/a 


510 bits 


1050 bits 


1224 ms 


5 ms 


40 (no CRT: 123) ms 


170-bit XTR 


340 


388 bits 


680 bits 


73 ms 


23 ms 


11 ms 


170-bit ECC 


171 


304 bits 


766 bits 





Table 2. 170-bit ECC, XTR comparison of number of multiplications in GF(p). 





encrypting 


decrypting 


encryption 

overhead 


signing 


verifying 


signature 

overhead 


DH speed 


DH size 


ECC 


3400 


1921 (1700) 


171 (340) bits 


1700 


2575 


170 bits 


3842 (3400) 


171 (340) bits 


XTR 


2720 


1360 


340 bits 


1360 


2754 


170 bits 


2720 


340 bits 



dom keys were generated. (ECC parameter generation is much slower and more 
complicated than for either RSA or XTR and not included in Table 1.) For RSA 
we used random 32-bit odd public exponents and 1020-bit moduli picked by 
randomly selecting 510-bit odd numbers and adding 2 until they are prime. For 
XTR we used Algorithm 13. 1.2l with Q = 170 and P > 170 and the fast Tr{g) ini- 
tialization method mentioned at the end of Subsection 15.21 For each RSA key 10 
encryptions and decryptions of random 1020-bit messages were carried out, the 
latter with Chinese remaindering (CRT) and without (in parentheses in Table 
1). For each XTR key 10 single and double exponentiations (i.e., applications of 
Algorithms I2.M.7I and I2.4.HI respectively) were carried out for random exponents 
< q. For RSA encryption and decryption correspond to signature verification 
and generation, respectively. For XTR single exponentiation corresponds to de- 
cryption and signature generation, and double exponentiation corresponds to 
signature verification and, approximately, encryption. The average run times 
are in milliseconds on a 450 MHz Pentium II NT workstation. The ECC figures 
in Table 2 are based on the results from speed-ups that may be obtained 
at the cost of specifying the full y-coordinates are given between parentheses. 
The time or number of operations to reconstruct the full public keys from their 
compressed versions (for either system) is not included. 



1 ID based key generation for RSA affects the way the secret factors are determined. 
The ID based approach for RSA is therefore viewed with suspicion and not generally 
used. A method from im for instance, has been broken, but no attack against the 
methods from 1121 is known. For discrete logarithm based methods (such as ECC 
and XTR) ID-based key generation affects only the part of the public key that is not 
related to the secret information, and is therefore not uncommon for such systems. 



16 



Arjen K. Lenstra and Eric R. Verheul 



5 Security 

5.1 Discrete Logarithms in GF(p*) 

Let (7) be a multiplicative group of order to. The security of the Diffie-Hellman 
protocol in (7} relies on the Diffie-Hellman (DH) problem of computing "f xy 
given 7 X and j y . We write DH( 7 x ,7 y ) = 'y xy . Two other problems are related 
to the DH problem. The first one is the Diffie-Hellman Decision (DHD) problem: 
given a,b,c £ (7} determine whether c = DH(a , b). The DH problem is at least 
as difficult as the DHD problem. The second one is the Discrete Logarithm (DL) 
problem: given a = 7 1 £ (7) with 0 < x < to, find x = DL{a). The DL problem 
is at least as difficult as the DH problem. It is widely assumed that if the DL 
problem in (7} is intractable, then so are the other two. Given the factorization 
of to, the DL problem in (7} can be reduced to the DL problem in all prime order 
subgroups of (7}, due to the Pohlig-Hellman algorithm [T7j . Thus, for the DL 
problem we may assume that to is prime. 

Let p , q, Tr(g ) be (part of) an XTR public key. Below we prove that the 
security of the XTR versions of the DL, DHD, and DH problem is equivalent to 
the DL, DHD, and DH problem, respectively, in the XTR group (cf. Subsection 
E2). First, however, we focus on the DL problem in a subgroup (7) of prime 
order to of the multiplicative group GF(p t )* of an extension field GF(p 4 ) of 
GF(p) for a fixed t. There are two approaches to this problem (cf. P, 0, 9], 
El, m, ES, EH) : one can either attack the multiplicative group or one can 
attack the subgroup. For the first attack the best known method is the Discrete 
Logarithm variant of the Number Field Sieve. If s is the smallest divisor of t 
such that (7) can be embedded in the subgroup GF(p s )* of GF(p 4 )*, then the 
heuristic expected asymptotic run time for this attack is L[p s , 1/3, 1.923], where 
L[n, v, u] = exp((u + o(l))(ln(n)) ,; (ln(ln(n))) 1 ~' 1 '). If p is small, e.g. p = 2, then 
the constant 1.923 can be replaced by 1.53. Alternatively, one can use one of 
several methods that take O(y/to) operations in (7), such as Pollard’s Birthday 
Paradox based rho method (cf. El). 

This implies that the difficulty of the DL problem in (7) depends on the size 
of the minimal surrounding subfield of (7) and on the size of its prime order to. If 
GF(p 4 ) itself is the minimal surrounding subfield of (7) and to is sufficiently large, 
then the DL problem in (7) is as hard as the general DL problem in GF(p t ). If 
p is not small the latter problem is believed to be as hard as the DL problem 
with respect to a generator of prime order « to in the multiplicative group of a 
prime field of cardinality ss p* (cf. 0, 1201 ) . The DL problem in that setting is 
generally considered to be harder than factoring t * log 2 (p)-bit RSA moduli. 

The XTR parameters are chosen in such away that the minimal surround- 
ing field of the XTR group is equal to GF(p 6 ) (cf. Section [TJ, such that p is 
not small, and such that q is sufficiently large. It follows that, if the complexity 
of the DL problem in the XTR group is less than the complexity of the DL 
problem in GF(p 6 ), then the latter problem is at most as hard as the DL prob- 
lem in GF(p 3 ), GF(p 2 ), or GF (p), i.e., the DL problem in GF(p 6 ) collapses to 
its true subfields. This contradicts the above mentioned assumption about the 
complexity of computing discrete logarithms in GF(p t ). It follows that the DL 



The XTR Public Key System 



17 



problem in the XTR group may be assumed to be as hard as the DL problem 
in GF(p 6 ), i.e., of complexity L[p 6 , 1/3, 1.923]. Thus, with respect to known at- 
tacks, the DL problem in the XTR group is generally considered to be more 
difficult than factoring a 6 * log 2 (p)-bit RSA modulus, provided the prime order 
q is sufficiently large. By comparing the computational effort required for both 
algorithms mentioned above, it turns out that if p and q each are about 170 bits 
long, then the DL problem in the XTR group is harder than factoring an RSA 
modulus of 6 * 170 = 1020 bits. 

5.2 Security of XTR 

Discrete logarithm based cryptographic protocols can use many different types 
of subgroups, such as multiplicative groups of finite fields, subgroups thereof 
(such as the XTR group), or groups of points of elliptic curves over finite fields. 
As shown in Section 0 the XTR versions of these protocols follow by replacing 
elements of the XTR group by their traces. This implies that the security of 
those XTR versions is no longer based on the original DH, DHD, or DL problems 
but on the XTR versions of those problems. We define the XTR-DH problem 
as the problem of computing Tr{g xy ) given Tr(g x ) and Tr(g v ), and we write 
XDH(g x ,g v ) = g xy . The XTR-DHD problem is the problem of determining 
whether XDH(a,b) = c for a, b, c £ Tr((g)). Given a £ Tr((g)), the XTR-DL 
problem is to find x = XDL{a ), i.e., 0 < x < q such that a = Tr(g x ). Note that 
if x = DL(a), then so are x * p 2 mod q and x * p 4 mod q. 

We say that problem A is (a, b)- equivalent to problem B , if any instance of 
problem A (or B) can be solved by at most a (or b) calls to an algorithm solving 
problem B (or A). 

Theorem 5.2.1 The following equivalences hold: 

i. The XTR-DL problem is (1,1) -equivalent to the DL problem in (g). 

ii. The XTR-DH problem is (1,2) equivalent to the DH problem in (g). 

Hi. The XTR-DHD problem is (3, 2) -equivalent to the DHD problem in (g). 

Proof. For a £ GF(p 2 ) let r(a) denote a root of F(a,X). 

To compute DL(y ), let x = XDL(Tr(y)), then DL{y) = x * p 2 - 7 mod q for 
either j = 0, j = 1, or j = 2. Conversely, XDL(a) = DL(r(a)). This proves i. 

To compute DH(x,y), compute di = XDH(Tr(x * g’),Tr(y)) for i = 0,1, 
then r{df) £ {( DH(x,y ) * y l ) p ° : j = 0,1,2}, from which DH(x,y ) follows. 
Conversely, XDH(a 1 b) = Tr(DH(r(a),r(b))). This proves ii. 

To prove in, it easily follows that DH(x,y ) = 2 if and only if XDH(Tr(x), 
Tr(y )) = Tr(z) and XDH(Tr(x* g),Tr(y)) = Tr(z*y). Conversely, XDH(a,b) 
= c if and only if DH{r{a), r(b)) = r(c) p2j for either j = 0, j = 1, or j = 2. This 
proves Hi and completes the proof of Theorem 15.2. 1 1 

Remark 5.2.2 It follows from the arguments in the proof of Theorem 15.2.1 I that 
an algorithm solving either DL, DH, or DHD with non-negligible probability can 
be transformed in an algorithm solving the corresponding XTR problem with 
non-negligible probability, and vice versa. 



18 



Arjen K. Lenstra and Eric R. Verheul 



It follows from the arguments in the proof of Theorem ion ii that in many 
practical situations a single call to an XTR-DH solving algorithm would suffice 
to solve a DL problem. As an example we mention DH key agreement where the 
resulting key is actually used after it has been established. 



Remark 5.2.3 Theorem 15.2.1 1 ii states that determining the (small) XTR-DH 
key is as hard as determining the whole DH key in the representation group 
(g). From the results in m it actually follows that determining the image of 
the XTR-DH key under any non- trivial GF(p)-linear function is also as hard 
as the whole DH key. This means that, for example, finding the a or the a 2 
coefficient of the XTR-DH key is as hard as finding the whole DH key, implying 
that cryptographic applications may be based on just one of the coefficients. 



6 Extensions 

The methods and techniques described in this paper can be extended in various 
straightforward ways to the situation where the underlying field GF(p) is itself 
an extension field, say of the form GF(p e ) for some integer e. The resulting field 
will then be of the form GF(p 6e ) instead of GF(p 6 ). The parameters p , q , and e 
should be generated so that 

— q is a prime dividing the 6e th cyclotomic polynomial (f>Q e (X) evaluated in p 

(cf. ini). 

— log 2 (g) and 6e * log 2 (p) are sufficiently large, e.g. log 2 (g) > 160 and 6e * 
log 2 (j») > 1000. 

By doing so, the parameter p can be chosen smaller to achieve the same security. 
Note that for large choices of e fewer suitable primes are available, while the 
savings obtained, if any, depend strongly on the choice that is made. In particular 
the choice p = 2 is an option, which has the property (cf. |E3J) that bits of the 
XTR-DH exchanged key are as hard as the whole key. However, for such very 
small p one should take into account that they make computation of discrete 
logarithms easier (cf. 0)) and that 6e * log 2 (p) should be at least 1740 to get 
security equivalent to 1024-bit RSA moduli. As an example, <(> 6 * 299 ( 2 ) is divisible 
by a 91-digit prime. 

Because 4>e e {X ) divides X 2e — X e + 1, one may replace p by p e in many 
expressions above, since conditions that hold modulo p 2 — p + 1 still hold if p 
and p 2 — p + 1 are replaced by p e and p 2e — p e + 1 respectively. The (mostly 
straightforward) details of these and other generalizations are left to the reader. 



Acknowledgment 

We are greatly indebted to Mike Wiener for his permission to include his im- 
provements of our earlier versions of Algorithms 12.3. /I and 12.4.31 



The XTR Public Key System 



19 



References 

1. L.M. Adleman, J. DeMarrais, A subexponential algorithm for discrete logarithms 
over all finite fields, Proceedings Crypto’93, LNCS 773, Springer- Verlag 1994, 147- 
158. 

2. D.V. Bailey, C. Paar, Optimal extension fields for fast arithmetic in public-key 
algorithms, Proceedings Crypto’98, LNCS 1462, Springer- Verlag 1998, 472-485. 

3. A.E. Brouwer, R. Pellikaan, E.R. Verheul, Doing more with fewer bits, Proceedings 
Asiacrypt99, LNCS 1716, Springer- Verlag 1999, 321-332. 

4. H. Cohen, A. Miyaji, T. Ono, Efficient elliptic curve exponentiation using mixed 
coordinates, Proceedings Asiacrypt’98, LNCS 1514, Springer- Verlag 1998, 51-65. 

5. D. Coppersmith, Fast evaluation of logarithms infields of characteristic two, IEEE 
Trans. Inform. Theory 30 (1984), 587-594. 

6. D. Coppersmith, personal communication, March 2000. 

7. T. ElGamal, A Public Key Cryptosystem and a Signature scheme Based on Discrete 
Logarithms, IEEE Transactions on Information Theory 31(4), 1985, 469-472. 

8. P. Gaudry, F. Hess, N.P. Smart, Constructive and destructive facets of Weil descent 
on elliptic curves, manuscript, January, 2000, submitted to Journal of Cryptology. 

9. D. Gordon, Discrete logarithms in GF(p) using the number field sieve, SIAM .J. 
Discrete Math. 6 (1993), 312-323. 

10. D.E. Knuth, The art of computer programming, Volume 2, Seminumerical Algo- 
rithms, second edition, Addison- Wesley, 1981. 

11. A.K. Lenstra, Using cyclotomic polynomials to construct efficient discrete loga- 
rithm cryptosystems over finite fields, Proceedings ACISP97, LNCS 1270, Springer- 
Verlag 1997, 127-138. 

12. A.K. Lenstra, Generating RSA moduli with a predetermined portion, Proceedings 
Asiacrypt ’98, LNCS 1514, Springer- Verlag 1998, 1-10. 

13. A.K. Lenstra, E.R. Verheul, Key improvements to XTR, in preparation. 

14. A.J. Menezes, Comparing the security of ECC and RSA, manuscript, Jan- 
uary, 2000, available as www.cacr.math.uwaterloo.ca/ ajmeneze/misc/cryptogram- 
article.html. 

15. A.J. Menezes, P.C. van Oorschot, S.A. Vanstone, Handbook of applied cryptography, 
CRC Press, 1997. 

16. A.M. Odlyzko, Discrete Logarithms: The past and the future, Designs, Codes and 
Cryptography, 19 (2000), 129-145. 

17. S.C. Pohlig, M.E. Heilman, An improved algorithm for computing logarithms over 
GF(p) and its cryptographic significance, IEEE Trans, on IT, 24 (1978), 106-110. 

18. J.M. Pollard, Monte Carlo methods for index computation ( mod p), Math. Comp., 
32 (1978), 918-924. 

19. O. Schirokauer, Discrete logarithms and local units, Phil. Trans. R. Soc. Lond. A 
345, 1993, 409-423. 

20. O. Schirokauer, personal communication, March 2000. 

21. O. Schirokauer, D. Weber, Th.F. Denny, Discrete logarithms: the effectiveness of 
the index calculus method, Proceedings ANTS II, LNCS 1122 Springer- Verlag 1996. 

22. C.P. Schnorr, Efficient signature generation by smart cards, Journal of Cryptology, 
4 (1991), 161-174. 

23. S.A. Vanstone, R.J. Zuccherato, Short RSA keys and their generation, Journal of 
Cryptology, 8 (1995), 101-114. 

24. E. Verheul, Certificates of recoverability with scalable recovery agent security, Pro- 
ceedings of PKC 2000, LNCS 1751, Springer- Verlag 2000, 258-275. 




A Chosen-Ciphertext Attack against NTRU 



Eliane Jaulmes 1 and Antoine Joux 2 

1 SCSSI, 18 rue du Docteur Zamenhof 
F-92131 Issy-les-Moulineaux cedex, France 

eliane . jaulmes@wanadoo . fr 

2 SCSSI, 18 rue du Docteur Zamenhof 
F-92131 Issy-les-Moulineaux cedex, France 

Antoine . JouxOens . f r 



Abstract. We present a chosen-ciphertext attack against the public key 
cryptosystem called NTRU. This cryptosystem is based on polynomial 
algebra. Its security comes from the interaction of the polynomial mixing 
system with the independence of reduction modulo two relatively prime 
integers p and q. In this paper, we examine the effect of feeding special 
polynomials built from the public key to the decryption algorithm. We 
are then able to conduct a chosen-ciphertext attack that recovers the 
secret key from a few ciphertexts/cleartexts pairs with good probability. 
Finally, we show that the OAEP-like padding proposed for use with 
NTRU does not protect against this attack. 



1 Overview 

In Hoffstein, Pipher and Silverman have presented a public key cryptosys- 
tem based on polynomial algebra called NTRU. The security of NTRU comes 
from the interaction of the polynomial mixing system with the independence 
of reduction modulo p and g. In (Jj , the authors have studied different possible 
attacks on their cryptosystem. 

First the brute force attack, which can be eased by the meet-in-the-middle 
principle, may be used against the private key or against a single message. How- 
ever, for a suitable choice of parameters this attack will not succeed in a reason- 
able time. 

Then there is a multiple transmission attack, which will provide the content 
of a message that has been transmitted several time. Thus multiple transmis- 
sions are not advised. It is also one of the reasons why NTRU recommends a 
preprocessing scheme. 

Finally, several attacks make use of the LLL algorithm of Lenstra-Lenstra- 
Lovasz mu which produces a reduced basis for a given lattice. They can either 
recover the secret key from the public key or decipher one given message. How- 
ever the authors of NTRU claim that the time required is exponential in the 
degree of the polynomials. For most lattices, it is indeed very difficult to find 
extremely short vectors. Thus for suitably large degrees, this attack is expected 
to fail and does fail in practice. Another idea, described by Coppersmith and 

M. Bellare (Ed.): CRYPTO 2000, LNCS 1880, pp. 20-1531 2000. 

(c) Springer- Verlag Berlin Heidelberg 2000 



A Chosen-Ciphertext Attack against NTRU 21 

Shamir in j2j would be to use LLL to find some short vector in the lattice which 
could act as a decryption key, but the authors of NTRU claim that experimen- 
tal evidence suggests that the existence of such spurious keys does not pose a 
security threat. 

However, we show now that it is possible to break the system using a chosen- 
ciphertext attack. Such attacks have already been used for example in PJ and |5j. 
They work as follows: The attacker constructs invalid cipher messages. If he 
can know the plaintexts corresponding to his messages, he can recover some 
information about the decryption key or even retrieve the private key. In [5J , the 
authors point out that finding the plaintext corresponding to a given ciphertext 
can reasonably be achieved. This possibility is even increased if decryption is 
done on a smart card. The standard defense against such attacks is to require 
redundancy in the message and this is why there exists a padded version of 
NTRU. The chosen-ciphertext attack we present here has a good probability 
of recovering the private key from one or two well chosen ciphertexts on the 
unpadded version of NTRU. It is also able to recover the key on the padded 
version from a reasonable number of chosen ciphertexts. 

This paper is organized as follows: we first recall the main ideas of the cryp- 
tosystem without preprocessing, then we present our chosen-ciphertext attack 
on the unpadded version and give an example of this attack. Finally we study 
the case where the OAEP-like padding is used and explain how our attack can 
still recover the private key in this situation. 

2 Description of the Cryptosystem 

2.1 Notations 

The NTRU cryptosystem depends on three integers parameters (IV, p , q ) and 
four sets of polynomials of degree ( N — 1) with integer coefficients, called Cf, 
Hg? ^ m • 

The parameters p and q are chosen with gcd(p, q) = 1 and q is much larger 
than p. All polynomials are in the ring 

R = Z[X]/(X N - 1). 

We write © to denote multiplication in R. In the system, some multiplications 
will be performed modulo q and some modulo p. 

The sets £/, C g , and C m are chosen as follows. The space of messages C m 
consists of all polynomials modulo p. Assuming p is odd, it is most convenient 
to take 

_ m has coefficients lying between 1 
raeR: -!&>—!) and !(„-!) )' 

To describe the other samples spaces, we will use sets of the form 

F has d\ coefficients equal to 1 
^2 coefficients equal to — 1, the rest 0 



e R 




U(di, (I2) 



22 



Eliane Jaulmes and Antoine Joux 



With this notation, we choose three positive integers df 7 d g: d and set 

£f = £(df,df~ 1 ), £g=£(dg 7 d g ), and £$ = £(d, d). 

We take £f = £(df,df — 1) instead of £(df,df) because we want / to be 
invertible and a polynomial satisfying /( 1) = 0 can never be invertible. 



2.2 The Key Generation 

To create an NTRU key, one chooses two polynomials / € £f and g £ £ g . The 
polynomial / must have inverses modulo p and q. We will denote these inverses 
by F p and F q . So we have: 

F p ® f =1 (mod p) and F q ® f = 1 (mod q) . 

The public key is then the polynomial: 

h = F q ® g (mod q). 

Of course, the parameters N, p, q are public too. 

The private key is the polynomial /, together with F p . 



2.3 Encryption and Decryption Procedure 

Encryption. The encryption works as follows. First, we select a message m 
from the set of plaintexts £ m . Next we choose randomly a polynomial <f> £ £ ^ 
and use the public key to compute: 

e = p<j) © h + m (mod q) . 



e is our encrypted message. 



Decryption. We have received an encrypted message e and we want to de- 
crypt it using our private key /. To do this, we should have precomputed the 
polynomial F p as described in In order to decrypt e, we compute : 

a = f ® e (mod q), 

where we choose the coefficients of a in the interval from — q/2 to q/2. Now, 
treating a as a polynomial with integer coefficients, we recover the message by 
computing: 



F p ® a (mod p ) . 



A Chosen-Ciphertext Attack against NTRU 



23 



How Decryption Works. The polynomial a verifies 

a=f®e = f®p(f>®h + f®m (mod q) 

= f®pcj)®F q ®g + f®ni (mod q) 

= p<fi®g + f®m (mod q ) . 

For appropriate parameter choices, we can ensure that all coefficients of the 
polynomial p<j> © g + / © to lie between —q/ 2 and q/2. So the intermediate value 
p4> © g + / ®m mod q is in fact the true (non modular) value of this polynomial. 
This means that when we compute a and reduce its coefficients into this interval, 
we recover exactly the polynomial pcf) ® g + f ® m. Hence its reduction modulo 
p give us / © to mod p and the multiplication by F, p retrieves the message to. 

The basic idea for the attack presented here will be to construct intermediate 
polynomials such that the modular values differ from the true values. 

2.4 Sets of Parameters for NTRU 

The authors of NTRU have defined different sets of parameters for NTRU pro- 
viding various security levels. Theses parameters are given in 1121 - 



Name 


N 


P 


q 


Lf 




£<#> 


Case A 


107 


3 


64 


£(15,14) 


£(12,12) 


£(5,5) 


Case B 


167 


3 


128 


£(61,60) 


£(20,20) 


£(18,18) 


Case C 


263 


3 


128 


£(50,49) 


£(24,24) 


£(16,16) 


Case D 


503 


3 


256 


£(216,215) 


£(72,72) 


£(55,55) 



In the original formulation of the NTRU public key cryptosystem 2J , it was 
suggested that one could use N = 107 to create a cryptosystem with moderate 
security. Such a system can be broken by lattice attacks in a few hours. Thus 
the use of case A is not recommended anymore but we will still use it to describe 
our attack in its simple version. 

3 The Chosen-Ciphertext Attack 

3.1 Principle 

As stated in 12.31 we want to build cipher texts such that the intermediate values 
in the deciphering process will differ from the true values. We first consider the 
effect of deciphering a cipher text of the form ch + c, where c is an integer and 
h is the public key. The decryption algorithm first multiplies by / modulo q: 

a= f © ch+ cf (mod q) 

= eg + cf (mod q), 

where g and / both have coefficients equal to 0, 1 or — 1. Hence the polynomial 
cf + cg have coefficients equal to 0, c, — c, 2c or —2c. We then need to reduce the 



24 



Eliane Jaulmes and Antoine Joux 



coefficients of a between — q/2 and q/2. If c has been chosen such that c < q/2 
and 2c > q/2, we will have to reduce only the coefficients equal to 2c or —2c. 

If we now suppose that a single coefficient in a is ±2c, say eq = +2c, then 
the value of a mod q is eg + cf — qx l . The deciphering process outputs 

eg ® F p + c — qx l © F p (mod p) 

If c has been chosen as a multiple of p, then the output is 

—qx z ®F p (moclp). 

Since gcd(p, q) = 1, we can recover x l ®F p = x l / f mod p and compute its inverse 
f /x l mod p. Since all the coefficients of / are 1 or —1, it is the true value of the 
polynomial. We can then compute 

g/x l = h® f /x l (mod q), 

which is also the true value of g/x l . Going back to the key process described in 
section I2~21 we can see that (/, g) and {f /x l , g/x 1 ) are equivalent keys. 

Of course, in general, the polynomial cf + eg may have none or several coef- 
ficients equal to ±2c , and then the above attack does not work anymore. In the 
next section, we will analyze the attack and generalize it to make it work for all 
the security parameters proposed for NTRU in ;?J. 

3.2 Analysis of the Attack 

We say that two polynomials Pi and P -2 have a collision when they have the 
same non zero coefficient at the same degree. 

We now define the intersection polynomial k of (Pi,P 2 ) by: 

k = kiX 1 , 



where 

{ 1 if Pi and P 2 both have their coefficient equal to 1 
—1 if Pi and P 2 both have their coefficient equal to -1 
0 otherwise 

Using this notation, we write again the result of the first decryption step of 
c + eh, as seen in section 13.11 a = eg + cf mod q = c + eh — qk 
The decrypted message obtained is then 

m = cF p ® f + cFp ® g — qF p © k (mod p) 

= c + eh — qF p © k (mod p) 

Since c has been chosen such that c = 0 mod p, 

m = — qFp © k (mod p). 



A Chosen-Ciphertext Attack against NTRU 



25 



The private key / can then be obtained from / = —qk ® m mod p 

When / and g have few common coefficients, the polynomial k has only a few 
non zero coefficients. By testing different values for k, we can compute possible 
polynomials /. The private key is likely the one that satisfies the condition 
f £ Cf. It is then a simple matter to verify our guess by trying to decrypt a 
message with / or by computing h © / mod q = g' . Then if g' = © g, we 

know we have a correct key. 

Let us study the probability of success of our attack over the sets of param- 
eters given in section o 

The probability of / and g having one and only one collision is the following: 



p = pi+p-i, 



where pi, the probability of collision of two 1, is: 



min(df — l,d g ) 

E 



k = 0 



(d g \(d g \( N-2d g \ (N-d f -d g + k\ 
\ 1 J\ k J\d f -l-k){ d f - 1 ) 



N \ f N -df + l\ 

d/Jl df- 1 ) 



and p- 1 , the probability of collision of two —1, is: 



min(df —2,d g ) 

E 



k=0 



( d a\ (dg\ ( N - 2d g \ ( N - df + 1 - dg + k 

V 1 ; U; \ d f-2-k) { d f 



N \ (N -d f + 1 \ 

d/Jl df - 1 ) 



There are similar formulas for more collisions. However, they are quickly cum- 
bersome to compute. 

Another approach is to evaluate the expected number of collisions between 
/ and g. An heuristic approximation of this number is 



(2 d f 1 ) d g 

N 



In case A, we find an average number of collisions of 3.25. We can thus expect 
k to have around three non zero coefficients. 

The table below shows the different probabilities of collisions in the different 
proposed cases. It also gives the average expected number of collisions. 



26 



Eliane Jaulmes and Antoine Joux 





Case A Case B Case C Case D 


Average number 
of collisions 


3.25 14.5 9.03 61.7 


Probability of 

0 collision 
Probability of 

1 collision 
Probability of 

2 collisions 
Probability of 

3 collisions 
Probability of 

4 collisions 


0.026 9.3 * 10 -9 3.1 * 10 -5 2 * 10" 36 
0.13 5.8 * 10 -7 5 * 10" 4 1.1 *10" 33 

0.25 9.5 * 10" 6 3 * 10 -3 1.5 * 10" 31 

0.28 8.6 * 10" 5 0.011 1.2 * 10" 29 

0.22 5.1 * 10" 4 0.028 7.3 * 10~ 28 



For example, with the parameters of NTRU 107, which has a key security 
of 2 50 against a meet-in-the-middle attack, we have a one-collision probability 
of p = 0.13. It means one over ten cipher messages will produce a polynomial 
k with a single non zero coefficient and the simple case described in section tm 
will apply. We can see that the attack, as it has currently been described, will 
fail in cases B, C and D. In section ED we generalize our idea to make it work 
in those cases. 

In general, k may have more than one coefficient, and we need to enumerate 
the possible k and compute f = k/m mod p , where m is our decrypted message. 
When /' € Cf, we have found a likely polynomial. We just need to verify that /' 
is able to decrypt messages. If we now analyze the number of possible polynomials 
k we need to test in order to recover the private key, we can first note that the 
polynomials of the form x 1 / mod x N — 1 have as many coefficients equal to 1 and 
— 1 as /. As the multiplication by x l will not change the value of the coefficients 
of a and as the decryption proceeding consists in multiplying and dividing by 
/, the rotated key f = x 1 / mod x N — 1 can be used to decrypt any message 
encrypted with /. Hence we can assume fc(0) ^ 0. 

So if we assume that k has n non zero coefficients, we will have to try 



different values for k. 



N — 1 
n — 1 

We can see in the table below the approximate number of polynomials we 
need to test function of the expected number of collisions. 



Expected no of collisions 


Case A Case B Case C Case D 


1 collision 

2 collisions 

3 collisions 

4 collisions 


2 2 2 2 

2 9 2 10 2 10 2 11 

216 2 17 2 18 2 20 

222 2 24 2 26 2 29 



The message c + ch can fail to produce the private key, if / and g have too 
many collisions. We can then try again with cx + ch and more generally with 



A Chosen-Ciphertext Attack against NTRU 



27 



polynomials of the form cx l + ch. This means considering collisions between g 
and x l / mod x N — 1. So there is a compromise between the number of possible 
collisions we will test and the number of cipher texts we will need. Many ci- 
phertexts are likely to produce at least a polynomial whose number of non zero 
coefficient is below the average value. If we have only one ciphertext, it may take 
more time to test possible polynomials before finding the key. 

3.3 Extending to Higher Security Parameters 

As seen in section 13.21 the parameters proposed in [Jj for higher security give 
us a very high number of collisions. This means that there will be an extremely 
low probability of having only a few collisions. Therefore, we can no longer use 
messages of the form cx^+ch. Instead, we reduce the average number of collisions 
by testing messages of the form 

chx n + ■ • • + chx ln + cx J1 + car 7 ' 2 + • • • + ex-*" 1 , 

where c is a multiple of p that verifies 

(n + m — l)c < q/2 and (n + m)c>q/ 2. 

We choose the numbers n and m in order to get a good probability of having only 
one or two collisions. As before, we do not explicitely compute these probabilities, 
but we estimate the average number of collisions. When this number is near 1, 
it means that the n and m are correctly chosen. An heuristic approximation of 
the number of collisions is given by: 



2 dfd™ 

]yn+m-l 



4 Example 

4.1 Detailed Example of Case D 

In 0, it is claimed that the highest security level will be obtained with the set 
of parameters D. 

We now give an example that shows, with this set of parameters, that our 
attack can recover the secret key. 

Here is the private key (/, g) we have used: 

, 502 501 . 500 499 498 . 497 496 495 494 493 492 

J = — X X X — X — X + X — X — X — X — X — X 

-x 491 + X 490 - x 488 + x 487 - x 486 - x 485 - x 482 + x 481 - x 480 - x 479 + x 477 

+ x 475 + x 474 + x 472 - x 471 + x 470 + x 468 - x 467 + x 466 + X 464 - x 463 + x 462 

,461 _ x 460 _ a ; 459 _i_ ^458 _l x 457 _ ^455 + ^454 _ ^453 _ ^451 _ ^450 , ^.449 

,448 , 447 , 446 , 445 444 443 , 442 , 441 , 440 439 , 438 

+ x x x + x — x — x x x ~r x — x + x 

437 436 435 . 434 . 433 430 429 . 428 425 . 424 . 423 

— X — X — X X X — X — X — X +35 + X 

422 421 420 418 417 416 . 415 414 . 412 411 409 

— X — X — X — X — X — X X — X X — X — X 

408 , 407 , 406 405 , 404 402 401 400 , 399 398 , 397 

— X + X — X + X — X — X — X + X — X + X 



28 



Eliane Jaulmes and Antoine Joux 



+x 396 - X 394 


+ 


x 393 - 


e 391 


+ x 390 


+ x 389 


+ x 388 


- x 387 


_ 3,386 + 3,385 


+ x 384 


+a ,383 , ^381 


- 


x 380 - 


e 379 


+ x 378 


- x 377 


+ x 376 


, 374 

+ X 


- x 373 + x 372 


+ x 371 


+x 370 - x 369 


+ 


x 368 - 


E 367 


+ x 366 


- x 365 


+ x 364 


- X 363 


_ *362 , 3,361 


- x 360 


i_3,359 _ 3.358 


- 


x 357 + 


E 356 


+ x 355 


- x 354 


^353 


- X 352 


+ *350 _ 3,349 


- x 348 


-tc 346 - x 345 


+ 


x 344 - 


x 343 


- x 342 


+ x 341 


- x 340 


- x 339 


o,338 , 337 


_l 0.336 

+ X 


3,334 _J_ 3,333 


- 


x 332 - 


E 331 


- x 330 


, 329 

+ X 


- x 328 


~327 

+ X 


+ 3,326 _j_ 3,325 


- x 324 


,3.323 _ 3.322 


+ 


x 321 - 


E 320 


- x 319 


, 318 

+ X 


+ x 317 


_l ^31.6 

+ X 


- x 315 - x 313 


- x 311 


_ 3,310 _ 3.309 


+ 


x 308 - 


x 306 


- X 305 


+ x 304 


- x 303 


+ x 302 


301 , 300 

— X + X 


- x 299 


_ 3,298 _ 3.297 


+ 


x 294 - 


x 293 


- x 292 


- x 291 


- x 290 


- x 288 


+ 3,287 _ 3,286 


- x 285 


,3,284 _ 3,283 


+ 


x 282 - 


x 280 


- x 279 


+ x 277 


- x 276 


+ x 275 


. 274 . 273 

+ X + X 


+ x 272 


-x 271 + x 270 


- 


x 269 + 


E 268 


- x 267 


- x 266 


+ x 264 


+ x 263 


_ 3,262 , 3,261 


- x 260 


_l_ 3,259 _ 3,257 


+ 


x 256 - 


E 255 


- x 254 


, 253 

+ X 


+ x 252 


+ x 251 


+ x 249 + x 248 


- x 247 


+ x 246 _ 3-245 


+ 


x 243 - 


E 242 


+ x 240 


+ x 238 


- x 237 


- X 236 


, x 234 _ x 233 


- x 232 


+x 231 - x 230 


+ 


x 229 - 


E 228 


- x 227 


+ x 226 


- x 225 


+ x 223 


, *222 _ *221 


+ 3,220 


_l_ 3,219 , 3,218 


- 


x 217 - 


x 215 


- x 214 


, 213 

+ X 


- x 212 


+ x 210 


- x 209 + x 208 


+ 3,207 


_3,206 _ 3.205 


+ 


x 203 + 


x 202 


- x 201 


- x 200 


, 199 

+ X 


+ x 198 


- x 197 + x 196 


+ x 195 


-x 194 + x 193 


+ 


x 192 + 


E 191 


+ x 190 


+ x 188 


_L ^ 187 
+ £E 


- x 186 


, *,185 _ *,184 


, _183 

+ X 


_l_ 3,182 , 3,181 


+ 


x 180 - 


E 179 


- x 178 


+ x 177 


- x 176 


+ x 175 


+ x 174 - x 173 


+ x 172 


-x 170 +x 169 


+ 


x 168 + 


167 


, 166 
+ X 


- x 165 


- x 164 


+ x 161 


+ x 160 -x 159 


_l_ 3,158 


-cc 155 + x 154 


+ 


x 152 + 


E 151 


- x 150 


, 149 


+ x 148 


. 147 

+ x 


145 142 

— X — X 


+ x 141 


3, 140 _ 3.139 


+ 


3,138 _|_ 3,137 


- x 136 


- x 135 


+ x 133 


- x 132 


+ x 131 +x 130 


+ x 128 


,3,127 _ 3,126 


+ 


x 125 + : 


E 124 


, 123 

+ X 


- x 121 


+ x 120 


+ x 118 


- x 116 +x 115 


- x 114 


3, 1 13 _ 3.112 


+ 


x 110 + x 109 


+ x 108 


+ x 107 


- x 106 


- X 105 


- x 103 + x 102 


+ 3,100 


+ *" + x 98 + x 96 + *,95 


- x 94 - x 93 - x 92 


+ X 91 - 


- x 90 - 


*89 _ 3,88 _ 3,87 


+*86 _ 3,85 + 


X 84 + X 83 


82 , 81 80 
— X + X — X 


, 79 , 78 , 

+ X + X + 


*77 + 3.75 + 3,74 


73 72 

— x — x — 


X 71 _ x 69 


68 67 , 66 

— X — X + X 


, 65 , 64 63 , 62 60 

1 x + X + X +X — X 


-* 59 + x 58 _ 


x 57 + x 56 


, 55 , 54 53 

+ X + X + X 


- x 51 - 


-x 50 + 


49 . 48 47 

X + X — X 


, 46 , 45 , 44 43 

+ x + X + X — X 


42 . 41 . 40 

— X + X + X 


- x 39 - 


-x 38 + 


*37 _ 3,36 + 3,35 


_3, 34 _ 3.32 _ 


x 31 + x 30 


29 28 . 27 

— X — X + X 


- x 25 


24 _ 


3,23 _ 3,21 _j_ 3,20 


-x 19 + x 18 _ 


x 17 - x 16 


— X' 


L5_ x 14 + x 13 


+ * 12 - 


-x 11 - 


*10 + *9 _ 3,8 




-x 7 _ 




- x 3 X 


2 - 1 














-x 499 + x 496 


+ x 495 - : 


E 487 


+ x 486 


+ x 484 


- x 480 


+ x 478 


+ *470 _ 3.466 


+ 3,465 


-x 462 + x 461 


+ x 489 + : 


E 451 


- x 446 


- x 431 


- x 428 


0,421 
+ x 


+ x 415 +x 412 


- x 411 


_3,406 _ 3,403 


- 


x 402 - 


x 398 


- x 397 


- X 395 


+ x 392 


, 373 

+ x 


- x 371 - x 370 


+ x 367 


+*366 _ 3,364 


- 


X 359 - ; 


x 355 


+ x 352 


+ x 351 


+ x 349 


_l 0.347 


+ x 340 + x 339 


+ x 338 


+*335 _j_ 3,328 


- 


x 326 + ; 


E 323 


, 317 

+ X 


- x 314 


- X 309 


- X 308 


+ x 307 + x 306 


+ 3,304 


_*303 _ 3.302 


- 


x 299 - 


x 295 


- x 292 


+ 3,291 


+ 3,289 


0.288 
+ X 


+ 3,283 , 3,281 


+ x 280 


-x 277 + x 266 


+ x 264 - : 


262 


- x 260 


- x 257 


+ x 256 


- x 255 


- x 251 - x 250 


- x 249 


_ 3,236 _ 3,235 


+ x 233 - 


232 


, 3,230 


+ x 227 


+ x 226 


224 

— X 


. 217 . 216 

+ X + X 


- x 215 


_ 3,212 , 3,206 


- 


x 205 + , 


x 203 


+ x 196 


_ 194 


+ x 193 


+ x 190 


+ 3,185 _ 3,183 


- x 177 


-x 172 - x 169 


- 


x 168 + x 165 


- x 163 


- x 157 


+ x 156 


+ x 155 


_ 3,138 , 3.136 


- x 135 


_l_x 134 + * 13 2 


- 


x 131 - ! 


r 123 


+ x 119 


- x 117 


- x 111 


- x 102 


_ *" + x 97 - 


x 95 


-x 94 + x 92 + 


x 91 - x 89 


-x* 


iS - X 86 + x 84 


~83 

+ X 


. *78 + *76 _ x 66 + x 60 



— X — c 



1 +x oyj + x*° + a 



We do not give here values of F p , F q or of the public key h since they are big and 
they can easily be computed from / and g. 

If we use messages of the form c + chx n + chx 12 + chx * 3 , our heuristic estimates 
the average number of collisions by 1.26. 




A Chosen-Ciphertext Attack against NTRU 



29 



We want c to verify c mod p = 0, 3c < q/2 and 4c > q/2. We chose c = 33, which 
satisfies this conditions. 

We use the chosen ciphertext e = 33 h + 33 + 33 hx + 33hx 4 . 

Let m be the decoded message. We find then that 

(l + a: 67 )/m (mod p) 

is a possible value f. 

That gives us the following value for f' 



x 501 - 


x 500 - 


. *499 + g.498 _ 


. x «7 + 3,496 _ 


■ x 495 - 




494 + 3,493 _ 


. x *92 + 3,490 


+x 489 


- x 488 


+ x 487 + x 486 


+ x 485 


- x 484 


- x 482 


- 


x 481 


+ x 480 


- x 479 


+ x 477 


-x 476 


+ x 475 


+ x 474 - x 473 


_ 472 


+ x 470 


+ x 469 


- 


x 468 


- x 467 


+ x 466 


+ x 465 


-x 464 


+ x 463 


. 462 461 

+ X — X 


+ x 460 


+ x 459 


+ x 458 


+ 


x 457 


+ x 455 


+ x 454 


- x 453 


+x 452 


- x 451 


+ x 450 + x 449 


+ x 448 


+ x 447 


- x 446 


- 


x 445 


. 444 

+ x 


_ 443 


+ x 442 


_|_X 441 


- x 440 


_l_ 3,439 _ 3,437 


+ x 436 


+ x 435 


+ x 434 


+ 


x 433 


- x 432 


- x 431 


+ x 428 


+x 427 


- x 426 


+ x 425 - x 422 


+ x 421 


+ x 419 


+ x 418 


- 


x 417 


+ x 416 


+ x 415 


+ x 414 


-x 412 


- x 409 


x 4 08 _ 3,407 


- x 406 


+ x 405 


+ x 404 


- 


x 403 


- x 402 


, 3,400 


- x 399 


+x 398 


, _397 

+ X 


+ x 395 + x 394 


- x 393 


^ 392 


+ x 391 


+ * 390 


- x 388 


^387 


-L ^385 
+ X 


-x 383 


+ x 382 


- x 381 - x 380 


- x 379 


r 377 

+ X 


+ x 376 


+ x 375 


+ x 374 


- x 373 


- x 372 


-x 370 


, x 369 


_|_ x 367 _|_ a ; 366 


_L 365 


, 363 

+ X 


+ x 362 


- 


x 361 


- x 360 


- x 359 


+ x 358 


-x 357 


- x 356 


_ ^355 _ 3,354 


+ x 353 


- x 352 


+ x 351 


+ x 350 


- x 349 


+ x 348 


- x 347 


+x 346 


+ x 345 


+ x 344 + x 342 


+ x 341 


- x 340 


- x 339 


- 


x 338 


- x 336 


- x 335 


- x 334 


+x 333 


+ x 332 


+ 3,331 , 3,330 


+ x 329 


- x 327 


- x 326 


+ 


x 325 


- x 324 


+ x 323 


, _322 

+ X 


_|_X 321 


+ x 320 


- x 318 - x 317 


, _316 

+ X 


+ x 315 


- x 314 


4- 


x 313 


^ 312 


+ x 311 


- X 310 


-X 309 


+ x 308 


_l_ 3,307 _ 3,306 


- x 305 


+ x 304 


- X 303 


+ x 302 


- x 301 


- x 299 


- x 298 


_|_X 297 


- x 296 


- x 295 + x 294 


- x 292 


- x 291 


- x 290 


- 


X 288 


+ x 287 


- x 286 


+ x 285 


-x 284 


- x 283 


_ 3,282 _ 3,281 


+ x 280 


_l_ 3,279 


- x 278 


- 


x 277 


+ x 276 


- x 275 


- x 274 


-x 273 


- x 272 


- x 270 + x 269 


- x 267 


- x 266 


+ x 265 


+ x 264 


- x 263 


- x 262 


+ x 261 


-x 260 


- x 259 


_ 3,258 _ 3,257 


- x 256 


- x 255 


+ x 254 


- 


x 252 


+ x 251 


- x 250 


- x 249 


-x 246 


+ x 245 


_ 3,244 _ 3,243 


+ x 241 


+ x 239 


+ x 238 


+ 


x 236 


- x 235 


, _234 

+ X 


232 


-x 231 


+ x 230 


+ 3,228 _ 3,227 


+ x 226 


+ x 225 


224 

— X 


- 


x 223 


+ x 222 


. 221 
+ x 


_ 219 


_|_X 218 


- x 217 


- x 215 - x 214 


+ x 213 


. 212 
+ x 


. 211 
+ x 


+ 


x 210 


+ x 209 


- x 208 


- x 207 


+x 206 


+ x 205 


_l_ 3,204 _ 3,203 


+ x 202 


- x 201 


- x 200 


- 


x 199 


+ x 198 


197 


- x 194 


-x 193 


+ x 192 


i89 , 188 

— X + X 


~ 187 


- x 186 


- X 185 


- 


x 184 


- x 182 


- x 181 


- x 180 


+x 179 


- x 178 


+ x 176 - x 175 


- x 173 


- x 172 


+ * 171 


+ x 170 


- x 169 


+ x 168 


- x 166 


-x 165 


- x 164 


+ x 163 - x 162 


+ x 161 


+ * 160 


- X 158 


+ x 157 


- x 155 


+ x 154 


+ x 153 


_|_X 152 


- x 151 


-x 150 +x 149 


+ x 148 


+ A 47 


+ x 145 


- 


x 144 


- x 143 


+ x 142 


- x 141 


+x 140 


+ x 138 


- x 137 + x 136 


+ x 135 


+ x 134 


- x 133 


+ 


x 132 


- x 131 


+ x 130 


- x 129 


_|_X 128 


- x 127 


126 . 125 

— X + X 


124 

— X 


, 123 

+ X 


122 

— X 


- 


121 

X 


+ x 120 


+ x 119 


- x 118 


+x 117 


- x 116 


+ x 114 -x 113 


112 

— X 


- x 110 


- x 109 


+ x 108 


- x 107 


- x 106 


, 3,105 


-x 104 


- x 103 


-x 102 +x 101 


+ x 100 


+ x 98 + x 97 - 


96 95 94 93 

x — x — x x 


92 91 , 90 , 89 88 , 87 86 

— x x + x ~r x — x x — x 


+ x 85 - 


- X 


,84 _ 


83 , 82 81 

x + x ~r x 



77 



75 



74 



— X — X — z 

1 - X 63 - X 62 - X 61 + 4 

1 + X 48 - x 47 + x 46 - „ 

' + X 34 - X 33 + X 32 - 3 



* + X 72 — X ,yJ — I 03 -|- 3 

1 - x 57 - x 56 - x 55 - C 
“ “ 40 +3 



70 



_69 



+ x 



30 



+ x 



28 



27 



* - x 67 + x 6 
1 -x 52 +x 5 

> _l_ 3,38 , 3 , 3 ' 

i , 3.25 _ 3,2. 
11 . 1 ( 



This value is different from the original one (we have / = x 236 © f), but it can be 
used to decrypt messages nonetheless. 




30 



Eliane Jaulmes and Antoine Joux 



4.2 Choice of Parameters and Running Times Table 

Here we give estimation of the running times for the different sets of parameters and 
the values chosen for m, n and c. 



Case 


A 


B 


C 


D 


m 


1 


4 


1 


1 


4 


1 


n 


1 


1 


2 


2 


2 


3 


c 


18 


15 


24 


24 


24 


33 


Avg no of collisions 


3.36 


0.712 


1.75 


0.832 


0.7 


1.27 


No of ciphertexts 
(testing 1 collision) 


_ 


4.5 




2.2 


2.25 


_ 


No of ciphertexts 
(testing 2 collisions) 


7 


_ 


2 


2 


_ 


2 


Time to test 
for 1 collision 


_ 


Is 


_ 


6s 


85s 


_ 


Time to test 
for 2 collisions 


25s 





135s 


4mn 





lh 



These running times have been obtain on a single PC, using GP/PARI CALCULATOR 
Version 2.0. 14. 



5 Plaintext Awareness with Our Chosen-Ciphertext 
Attack 

The attack described in the previous sections uses the fact that one can build a ci- 
phertext without knowing the corresponding plaintext. A cryptosystem is said to be 
plaintext aware if it is infeasible for an attacker to construct a valid ciphertext without 
knowing the corresponding plaintext (see p| which first introduced this notion and |T| 
which had a corrected definition). So in 1111 Silverman proposed to use a system similar 
to OAEP to make NTRU plaintext aware. OAEP stands for Optimal Asymmetric En- 
cryption Padding. It has been proposed by Mihir Bellare and Phillip Rogaway in [2] and 
describes an embedding scheme using an hash and a generating function that achieves 
plaintext-aware encryption. However, since OAEP applies only to a one-way trapdoor 
function, it had to be adapted to work for NTRU. 

5.1 A Description of the Embedding Scheme Proposed for NTRU 

We let 



V P (N) = {polynomials of degree at most N — 1 with mod p coefficients}, 



and we write 



{ g with its coefficients reduced 
modulo p into the range ] — p/2, p/2}. 



We need a generating function and a hash function 



G : V P {N) V P {N) and H : V P {N) x V P {N) -)■ P p (K). 



A Chosen-Ciphertext Attack against NTRU 



31 



To encrypt a message, one chooses a plaintext m from the set of plaintexts V P (N — 
K) and a polynomial <p £ £<£■ O ne computes 

e = p<j> © ft + [m + H(m, [p0 © h\ p )X N ~ K + G([p(p © ft] p )] p (mod q). (1) 

To decrypt the message, the receiver uses his private key / and the standard NTRU 
decryption method to recover a polynomial 

n = [F p © [/ © e],] P G V P (N). 

Next he computes 

b = e — n (mod p) and c = n — G(b) (mod p). 

and he writes c in the form 

c = c + c" X N ~ K with deg(c / ) < N — K and deg(c ,/ ) < K. 

Finally, he compares the quantities 

c' and H(c , b). 

If they are the same, he accepts d as a valid decryption. Otherwise he rejects the 
message as invalid. 

An attacker who does not know the underlying plaintext of a cipher message will 
have a probability of p~ K of producing a valid ciphertext. 

We are now going to show how our attack is modified with this encapsulation. 

5.2 Adaptation of Our Attack 

Principle. With this embedding, an attacker can detect when a message is valid or 
invalid. Our goal is to produce special messages that may be either valid or invalid and 
learn information from their acceptance or rejection. 

As in the unpadded version, this is achieved by replacing pep © ft by a well chosen 
polynomial. We add to this polynomial the correct encapsulation of a message m, so 
that the ciphertext will be accepted when there is no collision in the polynomial and 
rejected otherwise. 

The principle of our attack is close to what Hall, Goldberg and Schneier call a 
reaction attack in JH . It is a chosen-ciphertext attack but does not require that the 
attacker sees the decrypted plaintext. He only needs to know whether the ciphertext 
was correctly decrypted or rejected for errors. 

Such attacks have been studied on NTRU by Hoffstein and Silverman in 8| but 
they applied on the unpadded version of the cryptosystem. 

Choice of a Polynomial P. Let 

P = x n + ■ ■ ■ + x ln + ft © (x jl H x jm ) (mod q), ik,ji& N. 

and choose n and m such that the average number of collisions, as defined in section|^31 
in P is near 1, and preferably a little smaller, so that we can expect P to have no more 
than one collision. If there is no collision, there will be no decryption failure, and we 
will know we need to change P. We will have to try different P, till we found a suitable 
one. 

Now, since multiplying by ia: 1 does not change the propriety of / and ft to act 
as private and public key, we can assume the collision happens at degree 0 and is a 
collision of 1. This will simplify the presentation of the attack. 



32 



Eliane Jaulmes and Antoine Joux 



Information Obtained from Decryption Failure. Now if we can ask the 

decryption of messages of the form cx z + cP, for i ranging from 0 to N — 1, with c 
such that c = 0 mod P, (n + m)c < q/ 2 and (n + m + l)c > q/2, we can discover 
all coefficients equal to 1 in /. Indeed let us assume that we send a message of the 
above form and that we expect the decrypted message to be 0. If the answer of the 
decryption is not 0, then the decryption process will send an error since we cannot 
know the plaintext. 

Now, as we have seen in section [II] decryption will be different from 0 if and if 
only there is collision between the (N — i)th coefficient of / and the unique collision 
in P. So if decryption is 0, the (N — i)th coefficient in / will be a 0 or a —1 and if 
decryption is different than 0, that is if we have a decryption error, we know that the 
( N — i)th coefficient of / is a 1. Similarly, with messages cx l — cP, a decryption error 
indicates that the ( N — i)th coefficient of / is a —1. By testing those 2 N messages, we 
can reconstruct a key f' equivalent to /. 



Influence of the Encapsulation. But, as stated above, we now have to add some 
valid encapsulated message to our test cipher cx x ± cP (otherwise all our test messages 
will be rejected and we will not learn anything), so we do not send cx 1 ± cP, but 
cx 1 ± cP + m! . The message m! can be chosen as the correct encapsulation of any 
message m, where prf> © h has been replaced by ex* ± cP in the formula (Ell- 

After multiplication by /, we obtain cx 1 © / ± cP © / + m' © /. The coefficients 
of m! © / may be of size q / 4 and thus can produce a wrong decryption where we 
should have had a good one according only to ex' 1 © / ± cP © /. It is not possible 
to get rid of the influence of m! © /, but we can reduce it. It is indeed possible to 
take for m the value — G([cx* ± cP] p ) modp truncated to degree N — K, so that 
m! = [m + H(m, [cx 1 ± cP\ v )X N ~ k + G([cx* ± cP] p )] p will have all its coefficients of 
degree less than N — K equal to zero, m 1 has now only approximately 2K/2> non zero 
coefficients, and m! © / will have coefficients whose absolute value may be less than 
min((5c — q/2), (q/2 — 4c)). Then hopefully cP + m! will have the same property than 
cP, that is produce a wrong message when added to cx l if and if only the ( N — i)th 
coefficient of / is 1. Note that if cP+m' verify this, we can proceed exactly as described 
above to recover the private key. The problem is that m! should be recalculated each 
time, for each value of cx 1 ± cP. But, since m! comes from [[cP] 9 ] p , let us see what 
happens when we add cx 1 to cP: in the majority of cases, the addition of cx 1 to [cP] q 
will not induce a new reduction modulo q so that [[cP] g + cx l \ p = [[cP] 9 ] p (recall that 
c = 0 mod p), and m! will stay the same. For such i, we can use the system described 
above to determine the corresponding coefficients of /. For the other coefficients, we 
cannot be really sure of the coefficients we obtain, even if there is a good probability 
for them to be right. It is then possible to use either LLL algorithm to find the missing 
coefficients or choose another value for P and repeat the process. 



5.3 Example 

Algorithm. We give first a brief description of the resulting algorithm to attack 
NTRU. 

1. Choose appropriate values for m and n such that the heuristic number of collisions 

2d l d ? -n v 
N n+m - 1 will be near 1. 

2. Select a suitable c with c = 0 mod p, (m + n)c < q/2 and (m + n + l)c > q/2. 



A Chosen-Ciphertext Attack against NTRU 



33 



3. Select a value of a polynomial P. 

P = x n + ■ ■ ■ + x ln + h © (x J1 + ■ • • + x 7m ) (mod q ) 

4. Produce m! corresponding to cP: m! = [m+ H(m, [cP] p )X N ~ k + G([cP] p )] p with 
m = [-G([cP] p )] p mod X N ~ K . 

5. Ask the decryption of cP + m! . The answer should be m. If not, go back toE| 

6. For all i such that [[ex' + cP] q \ p = [[cP] 9 ] p , ask decryption of cx l + cP + m! . If the 
answer is a decryption error, the (N-i)th coefficient of f is a 1, else we know it is 
not a 1. For all other i, the (N-i)th coefficient of f' may be a 1. 

7. At the same time, for all i such that [[— cx l + cP] q \ p = [[cP]<j] p , ask decryption of 
— cx 1 + cP + m' . If the answer is a decryption error, the (N-i)th coefficient of f' is 
a —1, else we know it is not a —1. Note that if we had [[cx* + cP] q ] p ^ [[cP] 9 ] P , 
then [[—ex* + cP] q ] p = [[cP] 9 ] p . So a coefficient can not both possibly be a 1 and 
-1. 

8. Note also that if cx z + cP + m' gave a decryption error, then — cx I + cP-t-m' should 
not. If this is the case, we know that m' introduced decryption errors and we go 
back to stepEH 

9. If after a few messages there is still no decryption failure, there is no collision in 
P. Go back to step 0 

10. Count the minimal and maximal number of 1 and — 1 in /'. If this number is not 
consistent with the value of df, go back to stepQ 

11. Merge with preceeding informations obtained on /'. Eventually repeat with another 
P (stepEJ. 



Application. Here is an example of the attack with the following set of parameters: 

— (N,p,q) = (503,3,256) 

— nf = 216 

— n g = 72 

— K = 107 

Those are the parameters proposed in mi to offer the highest security. 

For n = 1 and m = 3, we find an average number of collisions equal to 1.267. 

We want c = 0 mod 3, 4c < 128, 5c > 128. We choose c = 27. 

We tested the following polynomials P: 

— P = l + h®(x + x 2 + x 3 ) 

— P = 1 + h® (x + x 2 + x 4 ) 

— P = 1 + h® (x + x 2 + x 5 ) 

— P = 1 + h® (x + x 2 + x 6 ) 

— P = 1 + h® (x + x 2 + x 7 ) 

The good ones where: 

— P = l + h®(x + x 2 + x 4 ) 

— P = 1 + h® (x + x 2 + x 7 ) 

The other ones failed at step 0 or 0 

After merging the informations gained from these two polynomials, we had only 15 
possible keys left. It is then easy to find the good one by trying to decipher a ciphertext 
or by testing whether h® f = ±x* © g mod q for some i. 



34 



Eliane Jaulmes and Antoine Joux 



We were able to recover the private key with less than 5N calls to the decryption 
oracle. 

We give now a few statistics of our algorithm with the different sets of parameters. 



Case 


A 


B 


B 


C 


D 


Value for K 


17 


49 


49 


65 


107 


Avg no of ciphertexts 


230 


310 


620 


950 


2100 


Avg running time 


11s 


17mn 


2mn 


6mn 


36mn 



Remark: even for the highest security parameters, two successful polynomials were 
enough to recover sufficient information on the secret key. 



5.4 Protection against This Attack 

Hoffstein and Silverman described in §| a similar attack but did not take into account 
the digital envelope. However he proposed different ways of countering it: 

— Change the key very often. This solution requires that one send the actual public 
key to the receiver before each communication. Each time, we will need to have 
the new public key signed with a digital certificate, proving the origin of the key. 
Under these conditions, there cannot be off-line communication. 

— Track decryption failure. Decryption failure should occur rarely under normal cir- 
cumstances. While under a ciphertext attack, this will happens quite often. One 
can detect an undergoing attack and change the key. The attacker has still the 
power of forcing someone to change its public key when he wants. 

— Induce randomness. This solution consist in adding some random px l to the mes- 
sage before its decryption. This can lead to produce invalid messages from goods 
messages when OAEP is used. It may also produce errors in our attack, but suffi- 
cient information might still be obtained. 

— Coefficient distribution analysis. The number of coefficients of the polynomial p(f>g+ 
fm falling into ranges close to q/2 or — q/2 will be larger than usual when the 
attack takes place. So one can discover the attack by looking counting the number 
of coefficients in such ranges and simply not respond to inflated polynomial. 

In fact, the easiest protection against this attack is to replace the padding described 
in eh by the construction from |1| . This construction works in the random oracle model 
and provably turns any asymmetric system into a system resistant to adaptative chosen- 
ciphertext attacks. 



6 Conclusion 

The NTRU cryptosystem makes use of the independence of reduction modulo two 
relatively prime integers p and q. This cryptosystem have proved secure against different 
attacks, such as the brute force attack, the meet-in-the-middle attack and lattice based 
attacks. Unfortunately, the structure of the private keys / and g opens a way to the 
chosen-ciphertext attack that was described here, even when the padding in m is 
used; so alternative padding/hashing methods such as those described in SQ should be 
used to avoid the attacks described in this paper. 



A Chosen-Ciphertext Attack against NTRU 



35 



References 

1. Mihir Bcllare, Anand Desai, David Pointcheval, and Phillip Rogaway. Relations 
among notions of security for public-key encryption schemes. In Hugo Krawczyk, 
editor, Advances in Cryptology — CRYPTO ’98, volume 1462 of Lecture Notes in 
Computer Science, pages 26-45. Springer, 1998. 

2. Mihir Bellare and Phillip Rogaway. Optimal asymmetric encryption. In A. de San- 
tis, editor, Advances in Cryptology — EUROCRYPT’94, volume 950 of Lecture 
Notes in Computer Science, pages 92-111. Springer- Verlag, 1994. 

3. D. Coppersmith and A. Shamir. Lattice attacks on NTRU. In Advances in Cryp- 
tology — EUROCRYPT’97, volume 1233 of Lecture Notes in Computer Science, 
pages 52-61, 1997. 

4. Eiichiro Fujisaki and Tatsuaki Okamoto. Secure integration of asymmetric and 
symmetric encryption schemes. In Michael Wiener, editor, Advances in Cryptology 

— CRYPTO’99, volume 1666 of Lecture Notes in Computer Science, pages 537- 
554. Springer- Verlag, 1999. 

5. H. Gilbert, D. Gupta, A.M. Odlyzko, and J.-J. Quisquater. Attacks on 
shamir’s ’rsa for paranoids’. Information Processing Letters, 68:197-199, 1998. 
http: / /www. research, att.com/~amo/doc/recent.html. 

6. Chris Hall, Ian Goldberg, and Bruce Schneier. Reaction attacks against several 
public-key cryptosystems. In G. Goos, J. Hartmanis, and J; van Leeuwen, edi- 
tors, ICICS’99, volume 1726 of Lecture Notes in Computer Science, pages 2-12. 
Springer- Verlag, 1999. 

7. Jeffrey Hoffstein, Jill Pipher, and Joseph H. Silverman. NTRU: A ring based public 
key cryptosystem. In ANTS’3, volume 1423 of Lecture Notes in Computer Science, 
pages 267-288. Springer Verlag, 1998. 

8. Jeffrey Hoffstein and Joseph H. Silverman. Reaction attacks against the NTRU 
public key cryptosystem. Technical Report 15, NTRU Cryptosystems, August 
1999. 

9. M. Joye and J.-J. Quisquater. On the importance of securing your bins: the 
garbage-man-in-the-middle attack, fth ACM Conf. Computer Comm. Security, 
pages 135-141, 1997. 

10. A.K. Lenstra, H.W. Lenstra, and L. Lovasz. Factoring polynomials with polyno- 
mial coefficients. Math. Annalen, 261:515-534, 1982. 

11. Joseph H. Silverman. Plaintext awareness and the NTRU PKCS. Technical Re- 
port 7, NTRU Cryptosystems, July 1998. 

12. Joseph H. Silverman. Estimated breaking times for NTRU lattices. Technical 
Report 12, NTRU Cryptosystems, March 1999. 




Privacy Preserving Data Mining 



Yehuda Lindell 1 and Benny Pinkas 2 * 

1 Department of Computer Science and Applied Math, Weizmann Institute of 
Science, Rehovot, Israel. lindellSwisdom.weizmajm.ac.il 
2 School of Computer Science and Engineering, Hebrew University of Jerusalem, 
Jerusalem, Israel, bpinkas@cs.huji.ac.il 



Abstract. In this paper we introduce the concept of privacy preserving 
data mining. In our model, two parties owning confidential databases 
wish to run a data mining algorithm on the union of their databases, 
without revealing any unnecessary information. This problem has many 
practical and important applications, such as in medical research with 
confidential patient records. 

Data mining algorithms are usually complex, especially as the size of 
the input is measured in megabytes, if not gigabytes. A generic secure 
multi-party computation solution, based on evaluation of a circuit com- 
puting the algorithm on the entire input, is therefore of no practical use. 
We focus on the problem of decision tree learning and use ID3, a pop- 
ular and widely used algorithm for this problem. We present a solution 
that is considerably more efficient than generic solutions. It demands 
very few rounds of communication and reasonable bandwidth. In our 
solution, each party performs by itself a computation of the same order 
as computing the ID3 algorithm for its own database. The results are 
then combined using efficient cryptographic protocols, whose overhead 
is only logarithmic in the number of transactions in the databases. We 
feel that our result is a substantial contribution, demonstrating that se- 
cure multi-party computation can be made practical, even for complex 
problems and large inputs. 



1 Introduction 

We consider a scenario where two parties having private databases wish to co- 
operate by computing a data mining algorithm on the union of their databases. 
Since the databases are confidential, neither party is willing to divulge any of 
the contents to the other. We show how the involved data mining problem of de- 
cision tree learning can be efficiently computed, with no party learning anything 
other than the output itself. We demonstrate this on ID3, an algorithm widely 
used and implemented in many real applications. 

Confidentiality Issues in Data Mining. A key problem that arises in any en 
masse collection of data is that of confidentiality. The need for secrecy is some- 
times due to law (e.g. for medical databases) or can be motivated by business 
interests. However, sometimes there can be mutual gain by sharing of data. A 

* Supported by an Eshkol grant of the Israel Ministry of Science. 

M. Bellare (Ed.): CRYPTO 2000, LNCS 1880, pp. 36-Q 2000. 

(c) Springer- Verlag Berlin Heidelberg 2000 



Privacy Preserving Data Mining 



37 



key utility of large databases today is research, whether it be scientific, or eco- 
nomic and market oriented. The medical field has much to gain by pooling data 
for research; as can even competing businesses with mutual interests. Despite 
the potential gain, this is not possible due to confidentiality issues which arise. 

We address this question and show that practical solutions are possible. Our 
scenario is one where two parties P\ and P2 own databases D\ and D 2. The 
parties wish to apply a data-mining algorithm to the joint database D\ U D2 
without revealing any unnecessary information about their individual databases. 
That is, the only information learned by Pi about D2 is that which can be learned 
from the output, and vice versa. We do not assume any “trusted” third party 
who computes the joint output. 

Very Large Databases and Efficient Computation. We have described a 
model which is exactly that of multi-party computation. Therefore, there exists 
a secure solution for any functionality (Goldreich et. al. in P 3 J). As we discuss in 
Section o due to the fact that these solutions are generic, they are highly inef- 
ficient. In our case where the inputs are very large and the algorithms reasonably 
complex, they are far from practical. 

It is clear that any reasonable solution must have the individual parties do 
the majority of the computation independently. Our solution is based on this 
guiding principle and in fact, the number of bits communicated is dependent on 
the number of transactions by a logarithmic factor only. 

Semi-Honest Parties. In any multi-party computation setting, a malicious 
party can always alter his input. In the data-mining setting, this fact can be 
very damaging as an adversarial party may define his input to be the empty 
database. Then, the output obtained is the result of the algorithm on the other 
party’s database alone. Although this attack cannot be prevented, we would 
like to limit attacks by malicious parties to altering their input only. However, 
for this initial work we assume that the parties are semi-honest (also termed 
passive). That is, they follow the protocol as it is defined, but may record all 
intermediate messages sent in an attempt to later derive additional information. 
We leave the question of an efficient solution to the malicious party setting for 
future work. In any case, as was described above, malicious parties cannot be 
prevented from obtaining meaningful confidential information and therefore a 
certain level of trust is anyway needed between the parties. We remark that the 
semi-honest model is often a realistic one; that is, deviating from a specified 
program which may be buried in a complex application is a non-trivial task. 

1.1 Related Work 

Secure two party computation was first investigated by Yao m , and was later 
generalized to multi-party computation in These works all use a similar 

methodology: the function F to be computed is first represented as a combinato- 
rial circuit, and then the parties run a short protocol for every gate in the circuit. 
While this approach is appealing in its generality and simplicity, the protocols 
it generates depend on the size of the circuit. This size depends on the size of 
the input (which might be huge as in a data mining application), and on the 
complexity of expressing F as a circuit (for example, a multiplication circuit is 



38 



Yehuda Lindell and Benny Pinkas 



quadratic in the size of its inputs). We stress that secure computation of small 
circuits with small inputs can be practical using the [21] protocol 0 

There is a major difference between the protocol described in this paper and 
other examples of multi-party protocols (e. g . mm- While previous protocols 
were efficient (polynomial) in the size of their inputs, this property does not 
suffice for data mining applications, as the input consists of huge databases. In 
the protocol presented here, most of the computation is done individually by 
each of the parties. They then engage in a few secure circuit evaluations on very 
small circuits. We obtain very few rounds of communication with bandwidth 
which is practical for even very large databases. 



Outline: The next section describes the problem of classification and a widely 
used solution to it, decision trees. Following this, Section 0 presents the se- 
curity definition and Section 0 describes the cryptographic tools used in the 
solution. Section 0 contains the protocol itself and its proof of security. Finally, 

def 

the main subprotocol that privately computes random shares of f(v 1 , 1 ) 2 ) = 
(vi + V 2 ) ln(ui + V 2 ) is described in Section 0 



2 Classification by Decision Tree Learning 

This section briefly describes the machine learning and data mining problem of 
classification and ID3, a well-known algorithm for it. The presentation here is 
rather simplistic and very brief and we refer the reader to Mitchell for an in- 
depth treatment of the subject. The ID3 algorithm for generating decision trees 
was first introduced by Quinlan in uni and has since become a very popular 
learning tool. 

The aim of a classification problem is to classify transactions into one of a 
discrete set of possible categories. The input is a structured database comprised 
of attribute-value pairs. Each row of the database is a transaction and each 
column is an attribute taking on different values. One of the attributes in the 
database is designated as the class attribute; the set of possible values for this 
attribute being the classes. We wish to predict the class of a transaction by 
viewing only the non-class attributes. This can thus be used to predict the class 
of new transactions for which the class is unknown. 

For example, a bank may wish to conduct credit risk analysis in an attempt 
to identify non-profitable customers before giving a loan. The bank then defines 
“Profitable-customer” (obtaining values “yes” or “no”) to be the class attribute. 
Other database attributes may include: Home-Owner, Income, Years-of-Credit, 
Other-Delinquent-Accounts and other relevant information. The bank is then 
interested in obtaining a tool which can be used to classify a new customer as 
potentially profitable or not. The classification may also be accompanied with a 
probability of error. 

1 The pi) protocol requires only two rounds of communication. Furthermore, since the 
circuit and inputs are small, the bandwidth is not too great and only a reasonable 
number of oblivious transfers need be executed. 



Privacy Preserving Data Mining 



39 



2.1 Decision Trees and the ID3 Algorithm 

A decision tree is a rooted tree containing nodes and edges. Each internal node is 
a test node and corresponds to an attribute; the edges leaving a node correspond 
to the possible values taken on by that attribute. For example, the attribute 
“Home-Owner” would have two edges leaving it, one for “Yes” and one for “No”. 
Finally, the leaves of the tree contain the expected class value for transactions 
matching the path from the root to that leaf. 

Given a decision tree, one can predict the class of a new transaction t as 
follows. Let the attribute of a given node v (initially the root) be A, where A 
obtains possible values a i, ...,a m . Then, as described, the m edges leaving v are 
labeled ai, ...,a m respectively. If the value of A in t equals a.;, we simply go to 
the son pointed to by ai . We then continue recursively until we reach a leaf. The 
class found in the leaf is then assigned to the transaction. 

The following notation is used: R: a set of attributes ; C: the class attribute 
and T: a set of transactions. The ID3 algorithm assumes that each attribute is 
categorical, that is containing discrete data only, in contrast to continuous data 
such as age, height etc. 

The principle of the ID3 algorithm is as follows: 

The tree is constructed top-down in a recursive fashion. At the root, each 
attribute is tested to determine how well it alone classifies the transactions. The 
“best” attribute (to be discussed below) is then chosen and we partition the re- 
maining transactions by it. We then recursively call ID3 on each partition (which 
is a smaller database containing only the appropriate transactions and without 
the splitting attribute). See Figure IH for a description of the ID 3 algorithm. 



ID3 (R, C, T) 

1. If R is empty, return a leaf-node with the class value of the majority of the 
transactions in T. 

2. If T consists of transactions with all the same value c for the class attribute, 
return a leaf-node with the value c (finished classification path). 

3. Otherwise, 

(a) Find the attribute that best classifies the transactions in T, let it be A. 

(b) Let ai, ...,a m be the values of attribute A and let T'(ai), ...,T(a m ) be a 
partition of T s.t. every transaction in T(m) has the attribute value ai. 

(c) Return a tree whose root is labeled A (this is the test attribute) and has 
edges labeled ai, ..., a m such that for every i, the edge m goes to the tree 
ID3 (R-{A},C,T{ ai )). 



Fig. 1 . The ID3 Algorithm for Decision Tree Learning 



What remains is to explain how the best predicting attribute is chosen. This is 
the central principle of ID3 and is based on information theory. The entropy 
of the class attribute clearly expresses the difficulty of prediction. We know the 
class of a set of transactions when the class entropy for them equals zero. The 
idea is therefore to check which attribute reduces the information of the class- 
attribute by the most. This results in a greedy algorithm which searches for a 



40 



Yehuda Lindell and Benny Pinkas 



small decision tree consistent with the database. As a result of this, decision 
trees are usually relatively small, even for large databases. 

The exact test for determining the best attribute is defined as follows. Let 
Ci,...,q be the class-attribute values. Let T(c,) be the set of transactions with 
class Cj. Then the information needed to identify the class of a transaction in T 
is the entropy, given by: 



Let A be a non-class attribute. We wish to quantify the information needed to 
identify the class of a transaction in T given that the value of A has been ob- 
tained. Let A obtain values a ±, ..., a m and let T(aj) be the transactions obtaining 
value cij for A. Then, the conditional information of T given A is given by: 



The attribute A which has the maximum gain over all attributes in R is then 
chosen. 

Since its inception there have been many extensions to the original ID3 al- 
gorithm, the most well-known being C4.5. We consider only the simpler ID3 
algorithm and leave extensions to more advanced versions for future work. 

2.2 The ID3a Approximation 

The ID3 algorithm chooses the “best” predicting attribute by comparing en- 
tropies that are given as real numbers. If at a given point, two entropies are 
very close together, then the two (different) trees resulting from choosing one 
attribute or the other are expected to have almost the same predicting capabil- 
ity. Formally stated, let S be some small value. Then, for a pair of attributes A\ 
and A 2 , we say that A\ and A 2 have 6 -equivalent information gains if 



This definition gives rise to an approximation of ID3. Denote by IV3g the set of 
all possible trees which are generated by running the ID3 algorithm, and choosing 
either Ai or A 2 in the case that they have 5-equivalent information gains. We 
actually present a protocol for secure computation of a specific algorithm ID3<5 £ 
I2?35, in which the choice of A\ or A 2 is implicit by an approximation that is 
used instead of the log function. The value of S influences the efficiency, but only 
by a logarithmic factor. 

2 Note that the gain measure biases attributes with many values and another measure 
called the Gain Ratio is therefore sometimes used. We present the simpler version 
here. 





H C (T\A) = jr ^^H c (T(a ,)) 



\H c {T\Ai) — Hc(T\A 2 )\ < S 



Privacy Preserving Data Mining 



41 



3 Security Definition — Private Computation of Functions 

The model for this work is that of general multi-party computation, more specifi- 
cally between two semi-honest parties. Our formal definitions here are according 
to Goldreich in G2J- We now present in brief the definition for general two- 
party computation of a functionality with semi-honest parties only. We present 
a formalization based on the simulation paradigm (this is equivalent to the ideal- 
model definition in the semi-honest case). 

Formal Definition. The following definitions are taken from m- We begin with 
the following notation: 

— Let / : {0, 1}* x {0, 1}* >->• {0, 1}* x {0, 1}* be a functionality where fi(x. y) 
(resp., f 2 (x,y)) denotes the first (resp., second) element of f(x,y) and let 
II be a two-party protocol for computing /. 

— The view of the first (resp., second) party during an execution of 77 on 
(a :,y), denoted view( 7 (a :,y) (resp., view!/ (x,y)), is (x, r, mi , ..., mt) (resp., 
(y, r, mi, ..., m t )) where r represents the outcome of the first (resp., second) 
party’s internal coin tosses, and mj represents the i’th message it has re- 
ceived. 

— The output of the first (resp., second) party during an execution of 77 on 
( x,y ) is denoted output{ 7 (a;, y) (resp., output^ 7 (x, y)), and is implicit in the 
party’s view of the execution. 

We note that in the case of ID3^ itself, we have fi = fi = ID3<5 (however, in the 
subprotocols that we use it is often the case that fi ^ f 2 ). 

Definition 1 (privacy w.r.t. semi-honest behavior): For a functionality f, we 
say that II privately computes f if there exist probabilistic polynomial time algo- 
rithms, denoted Si and S 2 , such that 

{(Si{x, fi(x,y)), f 2 (x,y))} x ye{01} , = {(viewf (x, y), output^ (x, y))} x ye{Q 1} „ (1) 
{(fi(x,y),S 2 {y,Mx,y)))} x ye{01} « = {(output^ 7 (x, y),view/ (x, 2/))}^. y6{0 1} » (2) 

where = denotes computational indistinguishability. 

Equations d) and © state that the views of the parties can be simulated by 
a polynomial time algorithm given access to the party’s input and output only. 
We emphasize that the parties here are semi-honest and the view is therefore 
exactly according to the protocol definition. We note that it is not enough for the 
simulator S± to generate a string indistinguishable from view( 7 (a;, y). Rather, the 
joint distribution of the simulator’s output and f 2 {x,y) must be indistinguish- 
able from (view/ 1 {x,y), output^ 7 (x, y)). See |T5J for a discussion on why this is 
essential. 

Composition of Private Protocols. The protocol for privately computing ID3^ is 
composed of many invocations of smaller private computations. In particular, 
we reduce the problem to that of privately computing smaller subproblems and 
show how to compose them together in order to obtain a complete ID3^ solution. 
This composition is shown to be secure in Goldreich H23- 



42 



Yehuda Lindell and Benny Pinkas 



3.1 Secure Computation of Approximations 

Our work takes ID3^ as the starting point and security is guaranteed relative 
to the approximated algorithm, rather than to ID3 itself. We present a secure 
protocol for computing ID3,5. That is, Pi can compute his view given D\ and 
ID3i(Di U D 2 ) only (likewise P 2 ). However, this does not mean that ID3a(Di U 
D 2 ) reveals the “same” information as ID3(Hi U D 2 ) does. In fact, it is clear 
that although the computation of ID3^ is secure, different information is revealed 
(intuitively though, no “more” information is revealed fl- 

The problem of secure distributed computation of approximations was in- 
troduced and discussed by Feigenbaum et. al. m- Their main motivation is a 
scenario in which the computation of an approximation to a function / might be 
considerably more efficient than the computation of / itself. The security def- 
inition requires that the approximation does not reveal more about the inputs 
than / does. In addition, the paper presents several general techniques for com- 
puting approximations, and efficient protocols for computing approximations of 
distances. 

4 Cryptographic Tools 

4.1 Oblivious Transfer 

The notion of l-out-2 oblivious transfer ( OTf ) was suggested by Even, Goldre- 
ich and Lempel f5|, as a generalization of Rabin’s “oblivious transfer” |2Q]. This 
protocol involves two parties, the sender and the receiver. The sender has two 
inputs (A'o,Ai), and the receiver has an input a £ {0,1}. At the end of the 
protocol the receiver should learn X a and no other information, and the sender 
should learn nothing. Very attractive non-interactive OT{ protocols were pre- 
sented in [JJ. More recent results in m reduce the amortized overhead of OTf, 
and describe non-interactive OTf of strings whose security is not based on the 
“random oracle” assumption. Oblivious transfer protocols can be greatly simpli- 
fied if the parties are assumed to be semi-honest, as they are in the application 
discussed in this paper. 



4.2 Oblivious Evaluation of Polynomials 

In the oblivious polynomial evaluation problem there is a sender who has a poly- 
nomial P of degree k over some finite field T and a receiver with an element 
x £ T . The receiver obtains P[x) without learning anything else about the poly- 
nomial P and the sender learns nothing about x. This primitive was introduced 
in m- For our solution we use a new protocol 0 that requires O(k) exponenti- 
ations in order to evaluate a polynomial of degree k (where the ‘O’ coefficient is 
very small). This is important as we work with low-degree polynomials. Following 
are the basic ideas of this protocol. 

3 Note that although our implementation approximates many invocations of the in 
function, none of these approximations is revealed. The only approximation which 
becomes known to the parties is the final result of ID3a. 



Privacy Preserving Data Mining 



43 



Let P(y) = o a iy l an d x the sen d er and receiver’s respective inputs. 
The following protocol enables the receiver to compute g p ^ x \ where g is a gen- 
erator of a group in which the Decisional Diffi e-Hellman assumption holds. The 
protocol is very simple since it is assumed that the parties are semi-honest. It can 
be converted to one which computes P( x) using the the methods of Paillier CH|, 
who presented a trapdoor for computing discrete logs. Security against malicious 
parties can be obtained using proofs of knowledge. The protocol consists of the 
following steps: 

— The receiver chooses a secret key s, and sends g s to the sender. 

— For 0 < i < k, the receiver computes Cj = (g ri , g s ' ri g x ), where r, is random. 
The receiver sends Cq , . . • , C/ ; to the sender. 

— The sender computes C = i7^ =0 (c,;) Qi = (g R , g sR g p ^), where R=J2i= o r i a i- 
It then chooses a random value r and computes C' = ( g R ■ g r , g sR g p ^ ■ g sr ) 
and sends it to the receiver. 

— The receiver divides the second element of C by the first element of C' 
raised to the power of s, and obtains g p ( x \ 

By the DDH assumption, the sender learns nothing of x 1 from the messages 
Co .... , Cfe sent by the receiver to the sender. On the other hand, the receiver 
learns nothing of P from C . 

4.3 Oblivious Circuit Evaluation 

The two party protocol of Yao eh solves the following problem. There are two 
parties, a party A which has an input x, and a party B which has as input 
a function / and a combinatorial circuit that computes /. At the end of the 
protocol A outputs f(x) and learns no other information about /, while B learns 
nothing at all. We employ this protocol for the case that / depends on two inputs 
x and y , belonging to A and B respectively. This is accomplished by having B 
simply hardwire his input y into the circuit (that is, B’s input is a function 
f(-,y) and A obtains f(x,y ) from the circuit) 0 

The overhead of the protocol involves (1) B sending to A tables of size linear 
in the size of the circuit, (2) A and B engaging in an oblivious transfer protocol 
for every input wire of the circuit, and (3) A computing a pseudo-random func- 
tion a constant number of times for every gate. Therefore, the number of rounds 
of this protocol is constant (namely, two rounds using non-interactive oblivious 
transfer), and the main computational overhead is that of running the oblivious 
transfers. 

def 

Computing Random Shares. Note that by defining r\ = F(x, (y, r 2 )) = /( x, y) — 
r 2 , A and B obtain random shares summing to f(x,y). 

5 The Protocol 

The central idea of our protocol is that all intermediate values of the computation 
seen by the players are uniformly distributed. At each stage, the players obtain 

4 In the case that / is known and the parties are semi-honest, Yao’s evaluation con- 
stitutes a secure protocol for the described problem. 



44 



Yehuda Lindell and Benny Pinkas 



random shares v\ and V 2 such that their sum equals an appropriate intermediate 
value. Efficiency is achieved by having the parties do most of the computation 
independently. 

We assume that there is a known upper bound on the size of the union of 
the databases, and that the attribute-value names are publicfl 

Solution Outline. The “most difficult” step in privately computing ID3,5 reduces 
to oblivious evaluation of the 2 In a; function ISection lh. II) . (A private protocol 
for this task is presented separately in Section 0) Next, we show how given a 
protocol for computing x In x, we can privately find the next attribute in the 
decision tree (Section 15.21 . Finally, we describe how the other steps of the ID 3,5 
algorithm are privately computed and show the complete private protocol for 
computing ID3^ (Section E3). 



5.1 A Closer Look at ID3,5 

The part of ID3i which is hardest to implement in a private manner is step 
3(a). In this step the two parties must find the attribute A that best classi- 
fies the transactions T in the database, namely the attribute that provides the 
maximum information gain. This step can be stated as: Find the attribute A 
which minimizes the conditional information of T given A, Hc(T\A). Exam- 
ine Hc{T\A) for an attribute A with m possible values ai, . . . ,a m , and a class 
attribute C with l possible values e.\, ... ,Cf. 



H C (T\A) = J2 



3 = 1 



|T(flj)| 

m 



Hc(T(a 3 :)) 



- iti E E 



\T(aj,a)\ j o gj-|T(aj, Ci)| , 



3 = 1 



in%)i 



in<b)i 



m 



-EE \T( aj , Ci )\ log(| T( aj , d) I) + 22 |T(a*)l log(in<b)|) (3) 



3 = 1 i=l 



3 = 1 



Note that since the algorithm is only interested in finding the attribute A which 
minimizes Hc{T\A), the coefficient 1/| T\ can be ignored. Also, natural loga- 
rithms can be used instead of logarithms to the base 2. 

The database is a union of two databases, D 1 which is known to Pi and 
D 2 which is known to P 2 . The number of transactions for which attribute A 
has value aj can therefore be written as |T(a.,-)| = |Ti(aj)| + |T 2 (a,)|, where 
\Tb(aj)\ is the number of transactions with attribute A set to aj in database 
Db (likewise T{aj,cf) is the number of transaction with A = aj and the class 
attribute set to cf). The values |Ti(aj)| and \Ti(aj,Ci)\ can be computed by 
party Pi independently, and the same holds for P 2 . Therefore the expressions 
that should be compared can be written as a sum of expressions of the form 



(vi + V 2 ) ■ ln(ui + v 2 ), 

5 It is clear that the databases must have the same structure with previously agreed 
upon attribute names. 



Privacy Preserving Data Mining 



45 



where vi is known to P± and V2 is known to P2. The main task is, therefore, to 
privately compute x In x and a protocol for this task is described in Section Q 
The exact definition of this protocol is provided in Figure Q 



5.2 Finding the Attribute with Maximum Gain 

Given the above protocol for privately computing shares of x In x , the attribute 
with the maximum information gain can be determined. This is done in two 
stages: first, the parties obtain shares of Hc(T\A) ■ \T\ ■ In 2 for all attributes 
A and second, the shares are input into a very small circuit which outputs the 
appropriate attribute. In this section we refer to a field T which is defined so 
that \T\ > H C (T\A) ■ \T\ - In 2 . 

Stage 1 (computing shares) : For every attribute A, for every attribute- value 
a-j £ A and every class Ci € C, P\ and P2 use the x I11 x protocol in order to 
obtain WA,i( a j), UM^ay), WA,i( a j> c i) and WA } 2(aj,Ci) £r -P such that 

WA,ii a i ) + w A ,2{aj) = \T(aj)\ ■ log(|T(aj)|) mod \T\ 

WA,i(aj,a) + WA,2{aj,a) = \T(aj,a)\ ■ log(|T(aj, Ci)|) mod \T\ 

Now, define H C {T\A) d = H C {T\A) ■ \T\ ■ In 2 . Then, 

m £ m 

H C (T\A ) = - EE \T{a jlCi )\ ■ ln(|T(oj , c,)|) + ^ |T(a,)| ■ ln(|T(a,)|) 

j = 1 i=l 3 = 1 

Then, Pi (and likewise P2) computes his share in Hc(T\A) as follows: 

mi m 

S A , 1 = - EE WA,l{ a ii Ci) + WA,l{ a i) m °d l-P| 

j= 1 j= 1 

It is clear that 6(4,1 + Sa,2 = Hc(T\A) mod \T\ and we therefore have that for 
every attribute A, Pi and P2 obtain shares in Hc{T\A) (this last step involves 
local computation only). 

Stage 2 (finding the attribute): It remains to find the attribute with the minimum 
Hc(T\A ) (and therefore the minimum Hc(T\A)). This is done via a Yao circuit 
evaluation ED- We note that since Hc(T\A) < |P|, it holds that either S44 + 
= H C (T\A) or 64,1 + £4,2 = H C (T\A) + \T\. 

The parties run an oblivious evaluation of a circuit with the following func- 
tionality. The circuit input is the shares of both parties for each Hc{T\A). The 
circuit first computes each Hc{T\A) (by subtracting \T\ if the sum is larger 
than \J-\ — 1 or leaving it otherwise), and then compares the results to find the 
smallest among them. This circuit has 2 |P| inputs of size log \T\ and its size 
is 0 (|P| log |P|). Note that |P|log|P| is a small number and thus this circuit 
evaluation is efficient. 



46 



Yehuda Lindell and Benny Pinkas 



Privacy: Stage 1 is clearly private as it involves many invocations of a private 
protocol that outputs random shares, followed by a local computation. Stage 2 is 
also private as it involves a single invocation of Yao’s oblivious circuit evaluation 
and nothing more. 

Note the efficiency achieved above. Each party has to compute the same set of 
values \T(a,j, cf)\ as it computes in an individual computation of ID3. For each 
of these values it engages in the x In x protocol. (We stress that the number of 
values here does not depend on the number of transactions, but rather on the 
number of different possible values for each attribute, which is usually smaller 
by orders of magnitude.) It sums the results of all these protocols together, and 
engages in an oblivious evaluation of a circuit whose size is linear in the number 
of attributes. 

5.3 The Private ID3^ Protocol 

In the previous subsection we showed how each node can be privately computed. 
The complete protocol for privately computing ID3,5 can be seen below. The steps 
of the protocol correspond to those in the original algorithm (see Figure QJ. 

Protocol 1 (Protocol for Private Computation of 103^:) 

Step 1: If R is empty , return a leaf-node with the class value of the majority of 
the transactions in T. 

Since the set of attributes is known to both parties, they both publicly know 
if R is empty. If yes, the parties do an oblivious evaluation of a circuit whose 
inputs are the values (|Ti(ci)|, . . . , |Ti(q)|) and (|X 2 (ci)|, . . . , |T 2 (c^)|), and 
whose output is i such |Ti(cj)| + |T 2 (cj) | is maximal. The size of this circuit 
is linear in t and in log(|T|). 

Step 2: IfT consists of transactions with all the same class c, return a leaf-node 
with the value c. 

In order to compute this step privately, we must determine whether both 
parties remain with the same single class or not. We define a fixed symbol 
_L symbolizing the fact that a party has more than one remaining class. A 
party’s input to this step is then _L, or c* if it is its one remaining class. All 
that remains to do is check equality of the two inputs. The value causing the 
equality can then be publicly announced as Cj (halting the tree on this path) 
or A (to continue growing the tree from the current point). 

The equality check can be executed in one of two ways: (1) Using the “com- 
paring information without leaking it” protocols of Fagin, Naor, and Win- 
kler |SJ. This solution requires the execution of log(f+l) oblivious transfers. 
(2) Using a protocol suggested in m and which involves the oblivious eval- 
uation of linear polynomials. The overhead of this solution is 0(1) oblivious 
transfers, using the oblivious polynomial evaluation protocol of [Zj. 

Step 3: (a) Determine the attribute that best classifies the transactions in T, 
let it be A. 

For every value aj of every attribute A, and for every value Ci of the class 
attribute C, the two parties run the x In x protocol of Section 0 for T[a,j) 
and T(aj,Ci). They then continue as described in Section E3 by computing 



Privacy Preserving Data Mining 



47 



independent additions and inputting the results into a small circuit. Finally, 
they perform an oblivious evaluation of the circuit with the result being the 
attribute with the highest information gain, A. This is public knowledge as 
it becomes part of the output. 

(b,c) Recursively call 103,5 for the remaining attributes on the transaction 
sets T(ai), . . . ,T(a m ) (where ai, . . . , a m are the values of attribute A). 

The result of 3(a) and the attribute values of A are public and therefore 
both parties can individually partition the database and prepare their input 
for the recursive calls. 

Although each individual step of the above protocol has been shown to be pri- 
vate, we must show that the composition is also private. The central issue in the 
proof involves showing that the control flow can be predicted from the input and 
output only. 

Theorem 2 The protocol for computing ID3^ is private. 

Proof. In this proof the simulator is described in generic terms as it is identical 
for Pi and P 2 . Furthermore, we skip details which are obvious Recall that the 
simulator is given the output decision tree. 

We need to show that any information learned by the computation can be learned 
directly from the input and output. This is done by showing how the views can 
be correctly simulated based solely on the input and output. The computation 
of the tree is recursive beginning at the root. For each node, a “splitting” class 
is chosen (due to it having the highest information gain) developing the tree to 
the next level. Any implementation defines the order of developing the tree and 
this order is used by the simulator to write the messages received in the correct 
order. Therefore according to this order, at any given step the computation is 
based on finding the highest information gain for a known node (for the proof 
we ignore optimizations which find the gain for more than one node in parallel) . 
We differentiate between two cases: (1) a given node is a leaf node and (2) a 
given node is not a leaf. 

1. The Current Node in the Computation is a Leaf-Node: The simulator 
checks, by looking at the input, if the set of attributes R at this point is empty 
or not. If it is not empty (this can be deduced from the tree and the attribute- 
list which is public), then the computation proceeds to Step (2). In this case, 
the simulator writes that the oracle-answer from the equality call in Step (2) is 
equal (or else it would not be a leaf). On the other hand, if the list of attributes 
is empty, the computation is executed in Step (1) and the simulator writes the 
output of the majority evaluation to be the class appearing in the leaf. 

2. The Current Node in the Computation is not a Leaf-Node: In this case 
Step (1) is skipped and the oracle-answer of Step (2) must be not-equal; this 
is therefore what the simulator writes. The computation then proceeds to Step 
(3) which involves many invocations of the x In x protocol, returning values uni- 
formly distributed in T . Therefore, the simulator simply chooses the correct 
number of random values (based on the public list of attribute names, values 
and class values) and writes them. The next step of the algorithm is a local 
computation (not included in the view) and an oblivious circuit evaluation. The 




48 



Yehuda Lindell and Benny Pinkas 



simulator simply looks to see which class is written in the tree at this node and 
writes the class name as the output from the circuit evaluation. 

The computation then continues to the next node in the defined order of 
traversal. This completes the proof. B 

Remark. It is both surprising and interesting to note that if Steps (1) and 
(2) of the protocol are switched (as the algorithm is in fact presented in lfTS)h 
then it is no longer private. This is due to the equality evaluation in Step (2), 
which may leak information about the other party’s input. Consider the case 
of a computation in which at a certain point the list of attributes is empty and 
P\ has only one class c left in his remaining transactions. The output of the 
tree at this point is a leaf with a class, assume that the class is c. From the 
output it is impossible for Pi to know if P 2 y s transactions also have only one 
remaining class or if the result is because the majority of both together is c. The 
majority circuit of Step (1) covers both cases and therefore does not reveal this 
information. However, if Pi and P 2 first execute the equality evaluation, this 
information is revealed. 

Complexity. A detailed analysis of the complexity of the protocol is presented 
in Appendix 0 The overhead is dominated by the x In x protocol. 

6 A Protocol for Computing x In x 

This section describes an efficient protocol for privately computing the a: In a: 
function, as defined in Figure |5J 



— Input: Pi’s input is a value Vi ; p2’s input is V2- 

— Auxiliary input: A large enough field T , the size of which will be discussed 
later. 

— Output: Pi obtains wi G T and P2 obtains W2 £ T such that: 

1 . wi + W2 = (ui + V2) ■ ln(ui + V2) mod \P\ 

2 . wi and W2 are uniformly distributed in T when viewed independently of 

one another. 



Fig. 2. Definition of the xlnx protocol. 

There are several difficulties in the design of such a protocol. Firstly, it is not 
clear how to obliviously compute the natural logarithm efficiently. Furthermore, 
the protocol must multiply two values together. An initial idea is to use Yao’s 
generic two party circuit evaluation protocol El and construct a multiplication 
circuit. However, the size of this circuit is of the order of the multiplication of 
the sizes of its inputs. This subprotocol is to be repeated many times throughout 
the complete ID3^ protocol and its efficiency is, therefore, crucial. 

The solution requires a linear size circuit and a small number of simple oblivi- 
ous evaluation protocols. The problem is divided into two parts: First it is shown 
how to compute shares of In a; from shares of x. Secondly, we show how to obtain 
shares of the product x In x given separate shares of x and In x. 



Privacy Preserving Data Mining 



49 



6.1 Computing Shares of In a; 

We now show how to compute random shares u\ and 112 such that U 1 + U 2 = In x. 
The starting point for the solution is the Taylor series of the natural logarithm, 
namely: 



ln(l + £•) 



- (_i)i-V 

i 




3 




for — 1 < e < 1 



It is easy to verify that the error for a partial evaluation of the series is as follows: 



ln(l + e) 



^ (-1 rv 



.ifc+i 



k + 1 



1 

1 — ki 



(4) 



As is demonstrated m Section Ki.MI the error shrinks exponentially as k grows. 

Now, given an input x, let 2 n be the power of 2 which is closest to x (in 
the ID3a application, note that n < log|T|). Therefore, x = 2"(1 + e) where 
— 1/2 < e <1/2. Consequently, 



E ^ E ^ 

ln(a:) = ln(2"(l + e)) = nln2 + e — — + — + ■■ ■ 

2 3 4 

Our aim is to compute this Taylor series to the fc’th place. Let TV be a predeter- 
mined (public) upper-bound on the value of n (TV > n always). Now, we use a 
small circuit that receives v\ and V 2 as input (the value of TV is hardwired into 
it) and outputs shares of 2 N -n In 2 (for computing the first element in the series 
of lnx) and e ■ 2 N (for computing the remainder of the series). This circuit is 
easily constructed: notice that e • 2 n = x — 2 n , where n can be determined by 
looking at the two most significant bits of x, and e • 2 N is obtained simply by 
shifting the result by TV — n bits to the left. The possible values of 2 N n\u2 are 
hardwired into the circuit. As we have described, random shares are obtained 
by having one of the parties input random values a±,/3i €r T into the circuit 
and having the circuit output «2 = £ ■ 2, N — a\ and P 2 = 2 N ■ nln2 — (3\ to the 
other party. The parties therefore have shares a±,/3i and 0 : 2 , P 2 such that 

cn + 0 L 2 = e2 n and + @2 = 2 N nln2 

The second stage of the protocol involves computing shares of the Taylor series 
approximation. In fact, it computes shares of 

/ -2 3 k \ 

lcm(2, ...k) ■ 2 n I n\n2 + e — - — ] — ~ lcm(2, ...k)2 N lna; (5) 

V 2 3 k J 

(where lcm(2, ..., k) is the lowest common multiple of {2, . . . , k}, and we multiply 
by it to ensure that there are no fractions). In order to do this Pi defines the 
following polynomial: 



k 

Q(x) = lcm (2, . . . , k) ■ ^2 

i = 1 



(-l )*" 1 ( ai + xY 
2 N(i-l) 



l 



- w 1 



50 



Yehuda Lindell and Benny Pinkas 



where w\ Gr T is randomly chosen. It is easy to see that 

w 2 = f Q(a 2 ) = lcm(2, k) ■ 2 N ■ — - 

Vi=l 

Therefore by a single oblivious polynomial evaluation of the fc-degree polyno- 
mial Q(-), Pi and P 2 obtain random shares w i and w 2 to the approximation in 
Equation ©. Namely Pi defines U\ = w\ + lcm(2, . . . , k)(3i and likewise P 2 . We 
conclude that 

U\ + u 2 ~ lcm(2 , . . . ,k) 2 n ■ In x 

This equation is accurate up to an approximation error which we bound, and 
the shares are random as required. Since N and k are known to both parties, the 
additional multiplicative factor of 2 N -lcm(2, . . . , k) is public and can be removed 
at the very end. Notice that all the values in the computation are integers (except 
for 2 N n\n2 which is given as the closest integer number). 




The size of the field T . It is necessary that the field be chosen large enough so 
that the initial inputs in each evaluation and the final output be between 0 and 
\T\ — 1. Notice that all computation is based on e2 N . This value is raised to 
powers up to k and multiplied by lcm(2, . . . , k). Therefore a field of size 2 Nk+2k 
is clearly large enough, and requires ( N + 2 )k bits for representation. 

We now summarize the In a; protocol: 

Protocol 2 (Protocol In a;) 



1. Pi and P 2 input their shares v± and v 2 into an oblivious evaluation protocol 
for a circuit outputting: (1) Random shares an and a 2 of s2 N (i.e. 01 + 02 = 
e2 N mod|P|). (2) Random shares /3i,/3 2 such that f3\+ (3 2 = 2 N ■ nln2. 

2. Pi chooses w\ Gr T and defines the following polynomial 



k 

Q(x) = lcm(2, . . . , k) ■ ^2 
2=1 



(-1) 1 1 (01 + x) 1 
2^-!) i 



- w 1 



3. Pi and P 2 then execute an oblivious polynomial evaluation with Pi inputting 
Q(-) and P 2 inputting o 2 , in which P 2 obtains w 2 = Q(a 2 )- 

4 . Pi and P 2 define U\ = lcm(2, . . . , k)/3i + Wi and u 2 = lcm(2, . . . , k)(3 2 + w 2 
respectively. We have that iq + u 2 ~ 2 Ar lcm(2, . . . , k) ■ In x 



Proposition 3 Protocol 0 constitutes a private protocol for computing random 
shares of c ■ In a; in T , where c = 2 Jv lcm(2, . . . , k) . 

Proof. We first show that the protocol correctly computes shares of clncc. In 
order to do this, we must show that the computation over T results in a correct 
result over the reals. We first note that all the intermediate values are integers. In 
particular, z2 n equals x — 2 n and is therefore an integer as is e2 N (since N > n). 
Furthermore, every division by i (2 < * < k) is counteracted by a multiplication 



Privacy Preserving Data Mining 



51 



by lcm(2 , . . . , k). The only exception is 2 N n\n 2 . However, this is taken care of 
by having the original circuit output the closest integer to 2 N n In 2 (although the 
rounding to the closest integer introduces an additional approximation error, it 
is negligible compared to the approximation error of the Taylor series). 

Secondly, the field T is defined to be large enough so that all intermediate 
values (i.e. the sum of shares) and the final output (as a real number times 
2 n ■ lcm(2 , . . . , k)) are between 0 and \T\ — 1. Therefore the two shares uniquely 
identify the result, which equals the sum (over the integers) of the two random 
shares if it is less than \T\ : or the sum minus \T\ otherwise. 

The proof of privacy appears in the full version of the paper. | 



6.2 Computing Shares of a: In a: 

We begin by briefly describing a simple multiplication protocol that on private 
inputs ai and 02 outputs random shares b\ and 62 (in some finite field T) such 
that bi + 62 = &1 • a.2- 

Protocol 3 (Protocol Mult(ai, 02 )) 

The protocol is very simple and is based on an oblivious evaluation of a linear 
polynomial. The protocol begins by Pi choosing a random value b\ € T and 
defining a linear polynomial Q{ x) = a\x — b\. P\ and P2 then engage in an 
oblivious evaluation of Q , in which P 2 obtains & 2 = Q(a 2 ) = ah-a 2 — b\. We define 
the respective outputs of P± and P 2 as bi and & 2 giving us that b\ + & 2 = oi • 02 ■ 

Proposition 4 Protocol Q constitutes a private protocol for computing Mult as 
defined above. 

We are now ready to present the complete a; In a; protocol: 

Protocol 4 (Protocol a; In a;) 

1. Pi and P 2 use Protocol Q for privately computing shares of In a: in order to 
obtain random shares u± and U2 such that u\ + w 2 = In a;. 

2. Pi and P 2 use two invocations of Protocol 0 in order to obtain shares of 
ati • V2 and U2 ■ v 1 . 

3. Pi (resp., P 2 ) then defines his output w\ (resp., ui 2 ) to be the sum of the 
two Mult shares and u\ • v\ (resp., m 2 • w 2 ). 

4. We have that W1+W2 = U1V1+U1V2+U2V1+U2V2 = (mi+m 2 )(m 2 +u 2 ) = a:lnx 
as required. 



Theorem 5 Protocol is a protocol for privately computing random shares of 
xlnx. 

The correctness of the protocol is straightforward. The proof of the privacy 
properties appears in the full version of the paper. 

Complexity The detailed analysis of the complexity is presented in Appendix 0 



52 



Yehuda Lindell and Benny Pinkas 



6.3 Choosing the Parameter k 

Recall that the parameter k defines the accuracy of the Taylor approximation 
of the “In” function. Given 6 and the database, we analyze which k we need to 
take in order to ensure that the defined ^-approximation is correctly estimatecj^l 
From here on we denote an approximation of the value z by z. 

The approximation definition of ID3^ requires that for all Ai , A 2 



H c {T\A r) > H c (T\A 2 ) + 8 =* HcWAi) > H C (T\A 2 ) 



This is clearly fulfilled if 



H c (T\A b ) - H c {T\A b ) 



< I for b = 1, 2. 



We now bound the difference on each | In x — lnx| in order that the above 
condition is fulfilled. By replacing logo; by In a; — lna;| in Equation (0 com- 



puting Hc(T\A), we obtain a bound on the error of 



H c (T\Ai) - Hc(T\A{) . 



A straightforward algebraic manipulation gives us that if jAj|lna: — lnx| < |, 
then the error is less than | as required. As we have mentioned (Equation (0), 
the In a; error is bounded by \! +1 \zje\ anc ^ this * s ma ™ lm at | £ l = ^ (recall 
that <£< g). Therefore, given <5, we set 2 hl +1 < f Tn2 or k + log(fc + 1) > 
log [yyyj] (for 8 = 0.0001, it is enough to take k > 12). Notice that the value of 
k is not dependent on the input database. 



References 

1. M. Bellare and S. Micali, Non-interactive oblivious transfer and applications, Ad- 
vances in Cryptology - Crypto ’89, pp. 547-557, 1990. 

2. M. Ben-Or, S. Goldwasser and A. Wigderson, Completeness theorems for non cryp- 
tographic fault tolerant distributed computation, 20th STOC, (1988), 1-9. 

3. D. Boneli and M. Franklin, Efficient generation of shared RSA keys, Proc. of 
Crypto’ 97, LNCS, Vol. 1233, Springer- Verlag, pp. 425-439, 1997. 

4. R. Canetti, Security and Composition of Multi-party Cryptographic Protocols. To 
appear in the Journal of Cryptology. Available from the Theory of Cryptography 
Library at http://philby.ucsd.edu/cryptlib, 1998. 

5. D. Chaum, C. Crepeau and I. Damgard, Multiparty unconditionally secure proto- 
cols, 20th Proc. ACM Symp. on Theory of Computing, (1988), 11-19. 

6. B. Chor, O. Goldreich, E. Kushilevitz and M. Sudan, Private Information Re- 
trieval, 36th FOCS, pp. 41-50, 1995. 

7. R. Cramer, N. Gilboa. M. Naor, B. Pinkas and G. Poupard, Oblivious Polynomial 
Evaluation, 2000. 

8. S. Even, O. Goldreich and A. Lempel, A Randomized Protocol for Signing Con- 
tracts, Communications of the ACM 28 , pp. 637-647, 1985. 

9. R. Fagin, M. Naor and P. Winkler, Comparing Information Without Leaking It, 
Communications of the ACM, vol 39, May 1996, pp. 77-85. 

6 An additional error is introduced by rounding the value 2 N n\n2 to the closest inte- 
ger. We ignore this error as it is negligible compared to the approximation error of 
the In function. 



Privacy Preserving Data Mining 



53 



10. J. Feigenbaum, J. Fong, M. Strauss and R. N. Wright, Secure Multiparty Compu- 
tation of Approximations, manuscript, 2000. 

11. N. Gilboa, Two Party RSA Key Generation, Proc of Crypto ’99, Lecture Notes in 
Computer Science, Vol. 1666, Springer- Verlag, pp. 116-129, 1999. 

12. O. Goldreich, Secure Multi-Party Computation, 1998. (Available at 
http: / /pliilby. ucsd.edu) 

13. O. Goldreich, S. Micali and A. Wigderson, How to Play any Mental Game - A 
Completeness Theorem for Protocols with Honest Majority. In 19th ACM Sympo- 
sium on the Theory of Computing, pp. 218-229, 1987. 

14. J. Kilian, Uses of randomness in algorithms and protocols, MIT Press, 1990. 

15. T. Mitchell, Machine Learning. McGraw Hill, 1997. 

16. M. Naor and B. Pinkas, Oblivious Transfer and Polynomial Evaluation, Proc. of 
the 31st STOC, Atlanta, GA, pp. 245-254, May 1-4, 1999. 

17. M. Naor and B. Pinkas, Efficient Oblivious Transfer Protocols, manuscript, 2000. 

18. P. Paillier, Public-Key Cryptosystems Based on Composite Degree Residuocity 
Classes. Proc. of Eurocrypt ’99, LNCS Vol. 1592, pp. 223-238, 1999. 

19. J. Ross Quinlan, Induction of Decision Trees. Machine Learning 1(1): 81-106(1986) 

20. M. O. Rabin, How to exchange secrets by oblivious transfer, Tech. Memo TR-81, 
Aiken Computation Laboratory, 1981. 

21. A.C. Yao, How to generate and exchange secrets, Proc. of the 27th IEEE Symp. 
on Foundations of Computer Science, 1986, pp. 162-167. 

A Complexity 

The communication complexity is measured by two parameters: the number of 
rounds and the bandwidth of all messages sent. As for the computation overhead, 
it is measured by the number of exponentiations and oblivious transfers (ignoring 
evaluations of pseudo-random functions, since they are more efficient by a few 
orders of magnitude) . 

Parameters: The overhead depends on the following parameters: 

— T , the number of transactions. 

— k, the length of the Taylor series, which affects the accuracy. 

— T , the field over which the computation is done. This is set as a function of 
the above two parameters, namely log \T\ = ( k + 2) log \T\ 

— |i?|, the number of attributes. 

— to, the number of possible values for each attribute (to simplify the notation 
assume that this is equal for all attributes). 

— £, the number of possible values for the class attribute. 

— \E\, the length of an element in the group in which oblivious transfers and 
exponentiations are implemented. To simplify the notation we assume that 
\E\ > log \E\ = k log \T\. 

— | S' |, the length of a key for a pseudorandom function used in the circuit 
evaluation (say, 80 or 100 bits long). 

— \D\, the number of nodes in the decision tree. 

A very detailed analysis of the complexity is given in the full version of 
the paper. The In a: protocol (Protocol EJ affects the complexity the most. Its 
overall overhead is 0(max(log |T|, k)) oblivious transfers. Since \T\ is usually 
large (e.g. log \T\ — 20), and on the other hand k can be set to small values 



54 



Yehuda Lindell and Benny Pinkas 



(e.g. k = 12), the overhead can be defined as 0(log|T)) oblivious transfers. 
The main communication overhead is incurred by the circuit evaluation and is 
0(k\og\T\ ■ |S|) bits. 

Finding the best attribute for a node. This step requires running the 
In x protocol for every attribute and for every combination of attribute- value 
and class-value, and evaluating a small circuit. The communication overhead 
is 0(\R\m£k\og \T\ ■ IS)) bits and the computation overhead is 0{\R\ml\og |T|) 
oblivious transfers. The number of rounds is 0(1). 

Computing all nodes of the decision tree. All nodes on the same level 
of the tree can be computed in parallel. We therefore have that the number of 
rounds equals 0(d) where d is the depth of the tree. The value of d is upper 
bound by |i?| but is expected to be much smaller. 

Overall complexity: 

— Parameters: For a concrete example, assume that there are a million trans- 
actions \T\ = 2 20 , |i?| = 15 attributes, each attribute has m = 10 possible 
values, the class attribute has t = 4 values, and k = 10 suffices to have the 
desired accuracy. Say that the depth of the tree is d = 7, and that it uses 
private keys of length IS) = 80 bits. 

— Rounds: There are O(d) rounds. 

— Communication: The communication overhead is 0(\D\ ■ \R\m£k log \T\ ■ 
|S|). In our example, this is |D| • 15 • 10 • 4 • 10 • 20 • 80 = 9, 600, 000|H| bits 
times a very small constant factor. We conclude that the communication per 
node can be transmitted in a matter of seconds using a fast communication 
network (e.g. a T1 line with 1.5Mbps bandwidth, or a T3 line with 35Mbps). 

— Computation: The computation overhead is 0(|H| • |-R|mflog |T|). In our 
example, this is an order of |D| • 15 • 10 • 4 • 20 = 12, 000|JD| exponentiations 
and oblivious transfers. Assuming that a modern PC can compute 50 expo- 
nentiations per second, we conclude that the computation per node can be 
completed in a matter of minutes. 

In the full paper we present a comparison to generic solutions that shows 
that our protocol achieves a considerable improvement (both in comparison to 
the complete ID3 protocol and to the xlox protocol). 




Reducing the Servers Computation in Private 
Information Retrieval: PIR with Preprocessing 



Amos Beimel 1 , Yuval Ishai 2 , and Tal Malkin 3 

1 Dept, of Computer Science, Ben-Gurion University, Beer-Sheva 84105, Israel. 

beimelOcs . bgu .ac.il 

2 DIMACS and AT&T Labs - Research, USA. yuval@dimacs.rutgers.edu 

3 AT&T Labs - Research, 180 Park Ave., Florham Park, NJ 07932, USA. 

tal@resear ch . att . com. 



Abstract. Private information retrieval (PIR) enables a user to retrieve 
a specific data item from a database, replicated among one or more 
servers, while hiding from each server the identity of the retrieved item. 
This problem was suggested by Chor et al. m, and since then efficient 
protocols with sub-linear communication were suggested. However, in 
all these protocols the servers’ computation for each retrieval is at least 
linear in the size of entire database, even if the user requires just one 
bit. 

In this paper, we study the computational complexity of PIR. We show 
that in the standard PIR model, where the servers hold only the database, 
linear computation cannot be avoided. To overcome this problem we pro- 
pose the model of PIR with preprocessing : Before the execution of the 
protocol each server may compute and store polynomially-many informa- 
tion bits regarding the database; later on, this information should enable 
the servers to answer each query of the user with more efficient computa- 
tion. We demonstrate that preprocessing can save work. In particular, we 
construct, for any constant k > 2, a fc-server protocol with 
communication and 0(n/ log 2k ~ 2 n) work, and for any constants k > 2 
and e > 0 a fc-server protocol with 0(n 1 A+ e ) communication and work. 
We also prove some lower bounds on the work of the servers when they 
are only allowed to store a small number of extra bits. Finally, we present 
some alternative approaches to saving computation, by batching queries 
or by moving most of the computation to an off-line stage. 



1 Introduction 

In this era of the Internet and www.bigbrother.com, it is essential to protect the 
privacy of the small user. An important aspect of this problem is hiding the in- 
formation the user is interested in. For example, an investor might want to know 
the value of a certain stock in the stock-market without revealing the identity 
of this stock. Towards this end, Chor, Goldreich, Kushilevitz, and Sudan HU 
introduced the problem of Private Information Retrieval (PIR). A PIR protocol 
allows a user to access a database such that the server storing the database does 
not gain any information on the records the user read. To make the problem 

M. Bellare (Ed.): CRYPTO 2000, LNCS 1880, pp. 55-Q 2000. 

(c) Springer- Verlag Berlin Heidelberg 2000 



56 



Amos Beimel, Yuval Ishai, and Tal Malkin 



more concrete, the database is modeled as an n bit string x, and the user has 
some index i and is interested in privately retrieving the value of Xi . 

Since its introduction, PIR has been an area of active research, and various 
settings and extensions have been considered (e.g., fctfcibU H2()ll Mil 7ll4lmsil 911 5j . 
Em Most of the initial work on PIR has focused on the goal of minimizing 
the communication , which was considered the most expensive resource. However, 
despite considerable success in realizing this goal, the real-life applicability of the 
proposed solutions remains questionable. One of the most important practical 
restrictions is the computation required by the servers in the existing protocols; 
in all protocols described in previous papers, the (expected) work of the server(s) 
involved is at least n, the size of the entire database, for a single query of the 
user. This computation overhead may be prohibitive, since the typical scenario 
for using PIR protocols is when the database is big. 

In this paper, we initiate the study of using preprocessing to reduce server 



>ape 

computation^!] We demonstrate that, while without any preprocessing linear 
computation is unavoidable, with preprocessing and some extra storage, com- 
putation can be reduced. Such a tradeoff between storage and computation is 
especially motivated today; as storage becomes very cheap, the computation time 
emerges as the more important resource. We also provide some lower bounds on 
this tradeoff, relating the amount of additional storage and the computation re- 
quired. Finally, we present some alternative approaches to saving computation. 
While this paper is still within the theoretical realm, we hope that the approach 
introduced here will lead to PIR protocols which are implemented in practice. 



Previous Work. Before proceeding, we give a brief overview of some known re- 
sults on PIR. The simplest solution to the PIR problem is that of communicating 
the entire database to the user. This solution is impractical when the database 
is large. However, if the server is not allowed to gain any information about 
the retrieved bit, then the linear communication complexity of this solution is 
optimal To overcome this problem, Chor et al. cu suggested that the user 
accesses replicated copies of the database kept on different servers, requiring that 
each server gets absolutely no information on the bit the user reads (thus, these 
protocols are called information-theoretic PIR protocols). The best information- 
theoretic PIR protocols known to date are summarized below: (1) a 2-server 
protocol with communication complexity of O (n 1 / 3 ) bits fTO) . (2) a fc-server 
protocol, for a constant k, with communication complexity of O (n 1 ^ 2 * -1 )) bits 
12) (improving on in, see also jEJ), and (3) a protocol with O(logn) servers 
and communication complexity of O (log 2 n log log if) bits mm- In all these 
protocols it is assumed that the servers do not communicate with each otherO 
A different approach for reducing the communication is to limit the power 
of the servers; i.e. , to relax the perfect privacy requirement into computational 
indistinguishability against computationally bounded servers (thus, these pro- 
tocols are called computational PIR protocols). Following a 2-server construc- 

1 ED have used preprocessing in a different model, allowing to move most computation 
to special purpose servers (though not reducing the total work). See more below. 

2 Extensions to t-private PIR protocols, in which the user is protected against collu- 

sions of up to t servers, have been considered in PUSH- 




Reducing the Servers Computation in PIR 



57 



tion of Chor and Gilboa EE Kushilevitz and Ostrovsky m proved that in 
this setting one server suffices; under a standard number theoretic assumption 
they construct, for every constant e > 0, a single server protocol with com- 
munication complexity of O (n e ) bits. Cachin, Micali, and Stadler 0 present a 
single server protocol with polylogarithmic communication complexity, based on 
a new number theoretic intractability assumption. Other works in this setting 
are |2M24l27MIM2ir] . 

The only previous work that has addressed the servers’ computation is that 
of Gertner, Goldwasser, and Malkin El ( see also E2J), who present a model for 
PIR utilizing special-purpose privacy servers, achieving stronger privacy guaran- 
tees and small computation for the original server holding the database. While 
their protocols save computation for the original server, the computation of the 
special-purpose servers (who do not hold the database) is still linear for every 
query. In contrast, our goal is to reduce the total computation by all servers. 
Di-Crescenzo, Ishai, and Ostrovsky m present another model for PIR using 
special-purpose servers. By extending their technique, it is possible to shift most 
of the servers’ work to an off-line stage, at the expense of requiring additional 
off-line work for each future query. This application is discussed in Section 0 

Our Results. As a starting point for this work, we prove that in any fc-server 
protocol the total expected work of the servers is at least n (or negligibly smaller 
than n in the computational setting). Consequently, we suggest the model of 
PIR with preprocessing: Before the first execution of the protocol each server 
computes and stores some information regarding the database. These bits of 
information are called the extra bits (in contrast to the original data bits). Later 
on, this information should enable the servers to perform less computation for 
each of the (possibly many) queries of the usersfl The number of extra bits each 
server is allowed to store in the preprocessing stage is polynomial in n. 

We demonstrate that preprocessing can save computation. There are three 
important performance measurements that we would like to minimize: commu- 
nication, servers’ work (i.e., computation), and storage. We describe a few pro- 
tocols with different trade-offs between these parameters. We first construct, for 
any e > 0 and constant k > 2, a fc-server protocol with 0(n 1 ^ 2k ~ 1 ' 1 ) communica- 
tion, O (ro/(elogn) 2fc_2 ) work, and 0(n 1+e ) extra bits (where n is the size of the 
database) . The importance of this protocol is that it saves work without increas- 
ing the communication compared to the best known information-theoretic PIR 
protocols. We define a combinatorial problem for which a better solution will 
further reduce the work in this protocol. Our second construction moderately 
increases the communication; however the servers’ work is much smaller. For 
any constants fc > 2 and e > 0, we construct a fc-server protocol with polyno- 
mially many extra bits and 0(n 1//fc+e ) communication and work. All the above 
protocols maintain information-theoretic user privacy. 

We prove, on the negative side, that if the servers are only allowed to store 
a bounded number of bits in the preprocessing stage, then their computation 
in response to each query is big. In particular, we prove that if the servers are 

3 This problem can be rephrased in terms of Yao’s cell-probe model m in the full 
version of the paper we elaborate on the connection with this model. 



58 



Amos Beimel, Yuval Ishai, and Tal Malkin 



allowed to store only e extra bits (e > 1) in the preprocessing stage, then the 
expected work of the servers is fi{n/e). 

Finally, we suggest two alternative approaches for saving work. First, we 
suggest batching multiple queries to reduce the amortized work per query, and 
show how to achieve sub-linear work while maintaining the same communication. 
Second, we show how to shift most of the work to an off-line stage, applying a 
separate preprocessing procedure for each future query. While generally more 
restrictive than our default model, both of these alternative approaches may be 
applied in the single-server case as well. 

Organization. In Section 0 we provide the necessary definitions, in Section El 
we construct PIR protocols with reduced work, and in Section 0 we prove our 
lower bounds. In Section 0 we present the alternative approaches of batching 
and off-line communication, and in Section 0 we mention some open problems. 

2 Definitions 

We first define one-rounc0 information-theoretic PIR protocols. A fc-server PIR 
protocol involves k servers Si, . . . ,Sk, each holding the same n-bit string x (the 
database), and a user who wants to retrieve a bit Xi of the database. 

Definition 1 (PIR). A k-server PIR protocol V = (Qi, ..., Qk,Ai , ... ,Ak,C) 
consists of three types of algorithms: query algorithms Qj(-,-), answering algo- 
rithms Aj(-, •), and a reconstruction algorithm C(-, •,...,•) (C has k + 2 argu- 
ments). At the beginning of the protocol , the user picks a random string r and, 
for j = 1 ,...,k, computes a query qj = Qj(i,r ) and sends it to server Sj. 
Each server responds with an answer ctj = Aj(qj,x) (the answer is a function 
of the query and the database; without loss of generality, the servers are deter- 
ministic). Finally, the user computes the bit by applying the reconstruction 
algorithm C(i , r, ai, . . . , a&). A PIR protocol is secure if: 

Correctness. The user always computes the correct value of x^. Formally, 
C(i,r,Ai(Qi(i,r),x),.. . ,A k (Qk{i,r),x)) = x t for every i € {l,...,n}, every 
random string r, and every database x £ {0,1}". 

Privacy. Each server has no information about the bit that the user tries to 
retrieve: For every two indices i\ and i^, where 1 < < n, and for every j, 

where 1 < j < k, the distributions Qj(ii,-) and Qj(i 2 ,-) are identical. 

We next define the model proposed in this paper, PIR with preprocessing. 
Adding the preprocessing algorithm £ will become meaningful when we define 
the work in PIR protocols. 

Definition 2 (PIR with Preprocessing). A PIR protocol with e extra bits 
V = (£, Qi, . . ■ , Qk, Ai, . . . ,Ak,C) consists of 4 types of algorithms: preprocess- 
ing algorithm £ which computes a mapping from {0, 1}" to {0, l} e , query and 

4 All the protocols constructed in this paper, as well as most previous PIR protocols, 
are one-round. This definition may be extended to multi-round PIR in the natural 
way. All our results (specifically, our lower bounds) hold for the multi-round case. 



Reducing the Servers Computation in PIR 



59 



reconstruction algorithms Qj and C which are the same as in regular PIR pro- 
tocols, and the answer algorithms which, in addition to the query qj 

and the database x, have an extra parameter - the extra bits £(x). The privacy 
is as above and the correctness includes £: 

Correctness with Extra Bits. The user always computes the correct value 
of Xi. Formally, C(i, r, -4i(Qi(i, r), x, £ (x)), . . . , A k (Qk(i, r), x, £(x))) = Xj for 
every i £ {1, ...,n}, every random string r, and every database x £ {0, l} n . 

Next we define the work in a PIR protocol. We measure the work in a sim- 
plistic way, only counting the number of bits that the servers read (both from 
the database itself and from the extra bits) . This is reasonable when dealing with 
lower bounds (and might even be too conservative as the work might be higher) . 
In general this definition is not suitable for proving upper bounds. However, in 
all our protocols the servers’ total work is linear in the number of bits they read. 

Definition 3 (Work in PIR). Fix a PIR protocol V. For a query q and 
database x £ {0, 1}” we denote the the number of bits that Sj reads from x 
and £(x) in response to q by BITSj(:r,g)0 For a random string r of the user, 
an index i £ {1, ...,n}, and a database x, the work of the servers is defined 
as the sum of the number of bits each server reads. Formally, WORK(t, x, r ) = 
Y^ k j= i BITSj-(a;, Qj(i, r)). Finally, the work of the servers for an i £ (1, . . . , n}, 
and a database x is the expected value, over r, of WORK(z, x, r). That is, 
WORK (i, x) = E r [WORK(«, x , r)] . 

Notation. We let [to] denote the set {1, . . . ,m}. For a set A and an element 
i, define A © i as A U {i} if * ^ A and as A \ {i} if i £ A. For a finite set A, 
define i£jj A as assigning a value to i which is chosen randomly with uniform 
distribution from A independently of any other event. We let GF(2) denote the 
finite field of two elements. All logarithms are taken to the base 2. By H we 
denote the binary entropy function; that is, H(p ) = —plogp — (1 —p) log(l —p). 

3 Upper Bounds 

We show that preprocessing can reduce the work. We start with a simple pro- 
tocol which demonstrates ideas of the protocols in the rest of the section, in 
Section m we present a 2-server protocol with 0(n/log 2 n) work, and in Sec- 
tion |^] we construct a fc-server protocol, for a constant k, with 0{n / \og 2k ~ 2 n) 
work. In these protocols the communication is 0{n 1 ^ 2k ~ 1 ' ) ) for k servers. In 
Section l3.3l we describe a combinatorial problem concerning spanning of cubes; 
a good construction for this problem will reduce the work in the previous proto- 
cols. Finally, in Section 13.41 we utilize PIR protocols with short query complexity 
to obtain fc-server protocols with O (n 1 / fe+e ) work and communication. 

A Warm-Up. We show that using n 2 /logn extra bits we can reduce the work 
to n/logn. This is only a warm-up as the communication in this protocol is 
0(n). We save work in a simple 2-server protocol of Chor et al. [TTj . 

5 Technically speaking, also £(x) should have been a parameter of BITS. However, 
since £ is a function of x we can omit it. 



60 



Amos Beimel, Yuval Ishai, and Tal Malkin 



Original Protocol m- The user selects a random set A 1 C [n], and com- 
putes A 2 = A 1 ® i. The user sends A> to Sj for j = 1,2. Server Sj an- 
swers with X£. The user then computes a 1 ® a 2 which equals 

x l © = x i- Thus, the user outputs the correct value. The 

communication in this protocol is 2 [n + 1) = 0(n ), since the user needs to send 
n bits to specify a random subset A J to Sj, and Sj replies with a single bit. 

Our Construction. We use the same queries and answers as in the above 
protocol, but use preprocessing to reduce the servers’ work while computing 
their answers. Notice that in the above protocol each server only computes 
the exclusive-or of a subset of bits. To save on-line work, the servers can pre- 
compute the exclusive-or of some subsets of bits. More precisely, the set [n] is 
partitioned to n/logn disjoint sets D\, . . . , D n n ogn of size logn (e.g., D t = 
{(t — 1) log n + 1, . . . , flog n} for t = 1, . . . , n/ log n). Each server computes the 
exclusive-or for every subset of these sets. That is, for every t, where 1 < t < 
n/logn, and every G C D t , each server computes and stores (BteG x e- This re- 
quires (n/ log n) • 2 logra = n 2 / log n extra bits. Once a server has these extra bits, 
it can compute its answer as an exclusive-or of n/logn bits; that is, Sj computes 
the exclusive-or of the pre-computed bits x h ■ • • j ©reAinu , , x l- 

3.1 A 2-Server Protocol with Improved Work 

We describe, for every constant e, a 2-server protocol with 0(n 1+e ) extra bits, 
O (n 1 / 3 ) communication, and 0(n/ (e 2 log 2 n)) work. Thus, our protocol exhibits 
tradeoff between the number of extra bits and the work. As the best known 
information-theoretic 2-server protocol without extra bits requires O (n 1 / 3 ) com- 
munication, our protocol saves work without paying in the communication. 

Theorem 1. For every e, where e > 4/ logn, there exists a 2-server PIR proto- 
col with n 1+e extra bits in which the work of the servers is O (n/(e 2 log 2 n)) and 
the communication is (^(n 1 / 3 ). 

Proof. We describe a simpler (and slightly improved) variant of a 2-server pro- 
tocol of PS, and then show how preprocessing can save work for the servers. 
Original Protocol (variant of j l l j ) . Let n = m 3 for some m, and con- 
sider the database as a 3-dimensional cube, i.e. , every i £ [n] is represented 
as (?’i,* 2 ,* 3 ) where i r £ [m] for r = 1,2,3. This is done using the natural 
mapping from {0, l} m to ({0, l} m ) 3 . In Fig. [0 we describe the protocol. It 
can be checked that each bit, except for Xi lt i 2j i 3 , appears an even number of 
times in the exclusive-or the user computes in Step0 thus cancels itself. There- 
fore, the user outputs aJ* 1 ,* 2 ,* 3 as required. Furthermore, the communication is 
0(m ) = (^(n 1 / 3 ). 

Our Construction. To save on-line work the servers pre-compute the exclusi- 
ve-or of some sub-cubes of bits. Let a = 0.5elogn. The set [to] is partitioned to 
m/a disjoint sets D i, . . . , D m / a of size a (e.g., D t = {(£ — 1 )a + 1, . . . , ta} for 
t = 1, . . . ,m/a). For every i £ [to], every ti,t%, where 1 < ti,t -2 < m/a, every 
G i C D tl , and every G 2 C D t2 , each server computes and stores the three bits 



Reducing the Servers Computation in PIR 



61 



A Two Server Protocol with Low Communication 


1. The user selects three random sets A],©,© C [m], and computes 


© = A) © i r for r = 1,2,3 
3 = 1,2. 


The user sends © , © , © to Sj for 


2. Server Sj computes for every I £ [m] 


a i,e ~ ®i ie A 3 2 ,e 2 eA 3 3 Xe ’ e iA’ 
a 3,i ~ ®e ie A 3 1 ,e 2 eA 3 2 Xe i’ e 2’ e ’ 


a i,e ~ ©qeA© 2 eA© l.Uhn an d 


and sends the 3m bits {a© : 


r € {1, 2, 3} , £ £ [m]} to the user. 


3. The user outputs © r _ x 2 3 (© 


r ® a r,i r )- 



Fig. 1. A two server protocol with communication O (r© 3 ). 

© £ i£G 1 ,t 2 £G 2 lEGiAeGj and ©, 

i£Gi,4eG 2 Tllis re “ 

quires 3 m ■ (m/a) 2 ■ 2 2a < to 3 ■ 2 elogn = n 1+£ extra bits. Once a server has these 
extra bits, it can compute each bit of its answer as an exclusive-or of 0(m 2 / a 2 ) 
pre-computed bits. 

Analysis. The answer of each server contains 0(m) bits, and each bit requires 
reading 0(m 2 /a 2 ) bits. Thus, the number of bits that each server reads is 
0(m 3 /a 2 ) = O (n/(elogn) 2 ). □ 

3.2 A fc-Server Protocol with Small Communication 

We present a fc-server protocol with 0(n 1+t ) extra bits, O (n l ^ 2k ~ 1 )) communi- 
cation, and O (n/(elogn) 2fc ~ 2 ) work for constant k. (The best known informat- 
ion-theoretic fc-server protocol without extra bits requires the same communica- 
tion and 0(n) work). 

Theorem 2. For every k and e > 4fc/logn, there is a k-server PIR protocol 
with n 1+e extra bits in which the work is O ((2fc) 4fe n/(elogro) 2fe_2 ) and the com- 
munication is O© 1 ^ 2 *^ 1 © If k is constant, the work is O (?r/(elog n) 2k ~ 2 ), and 
if k < 0.5(logn© 4 and e > 1 then the work is O (n/ (e\ogn) k ~ 2 ) . 

Proof. We save work in a fc-server protocol of Ishai and Kushilevitz m- 
Original Protocol m- As the protocol of m involves some notation, we 
only describe its relevant properties. Let n = m d for some m and for d = 2k — 1. 
The database is considered as a d-dimensional cube. That is, every index i £ [ n } 
is represented as (ii, *2j • • • j *d) where i r £ [to] for r = 1,2 , ,d. A sub-cube of 
the d-dimensional cube is defined by d sets A\ , . . . , Ad and contains all indices 
(ii, * 2 , • • • , id) such that i r £ A r for every r. A sub-cube is a (d — ©dimensional 
sub-cube if there exists some r such that |A r | = 1. In the protocol from m each 
server has to compute, for k d m sub-cubes of dimension (d— 1), the exclusive-or 
of bits of the sub-cube. The communication in the protocol is O (k 3 n 1 ^ 2k ~ 1 ' 1 ) . 
Our Construction. To save on-line work the servers compute in advance the 
exclusive-or of bits for some (d — ©dimensional sub-cubes. Let a = yjr© The 



62 



Amos Beimel, Yuval Ishai, and Tal Malkin 



set [to] is partitioned to m/a disjoint sets Di, . . . , D m / a of size a. For every 
r G {1,. . . ,d}, every £ <E [to], every t x ,t 2 , ■ ■ ■ ,t d ~ i, where 1 < t x ,t 2 , . ■ ■ ,t d ~x < 
m/a, every G\ C D tl , every G 2 C D t , 2 , . . ., and every G d - i C D td _ 1 , each 
server computes and stores the bit gG e^^Gd-i - This 

requires dm ■ ( m/a ) d ~ 1 • 2^ d ~ 1 ' )a < m d ■ = n ■ 2^ 1 ' 1 d ~ 1 = n 1+e extra 

bits (the inequality holds since d d ~ x < 2 and since e > 4fc/logrc). Once a server 
has these extra bits, it can compute each exclusive-or of the bits of any ( d — 1)- 
dimensional sub-cube as an exclusive-or of 0(TO d_1 /a d_1 ) pre-computed bits. 
Analysis. The answer of each server requires computing the exclusive-or of the 
bits of a (d — 1) -dimensional sub-cube for 0(k d m .) sub-cubes, and each sub- 
cube requires reading 0(fm/a) d ~ 1 ) bits. Thus, the number of bits that each 
server reads is 0{k d m d / a d_1 ). Recall that d = 2k — 1, thus the work reduces to 
O ((2fc) 4fe re/(elogn) 2fc_2 ). □ 

3.3 Can the Protocols Be Improved? 

We now describe a combinatorial problem concerning spanning of cubes. This 
problem is a special case of a more general problem posed by Dodis jTfij . Our 
protocols in Section rm and Section E21 are based on constructions for this 
problem; better constructions will enable to further reduce the work in these 
protocols. 

We start with some notation. Consider the collection of all d-dimensional sub- 
cubes T d = {Gi x ... x G d : G x , . . . , G d C [to]} . The exclusive-or of subsets of 
[m] d is defined in the natural way: For sets S x ,...,St Q [to] , the point £ € [m] d 
is in ©;=i Sj if and only if l is in an odd number of sets Sj . 

Definition 4 (g-xor basis). X C 2^ d is a q-xor basis of T d if every sub-cube 
in T d can be expressed as the exclusive-or of at most q sets from X. 

For example, for D ±, . . . , D m n ogrn the partition of [to], defined in Section[^ 

the collection X 0 = {G\ x G 2 : 3 i,j G\ C Di,G 2 C D 7 } is a m 2 /log 2 m-xor 
basis of T 2 . We next show how to use a g-xor basis of T 2 for 2-server PIR pro- 
tocols. A similar claim holds for g-xor basis of T 2 k_ 2 for fc-server PIR protocols. 

Lemma 1. If X is a q-xor basis of T 2 then there exists a 2-server PIR protocol 
in which the communication is 0(n 1 / 3 ), the work is 0(n 1 ^ 3 q), and the number 
of extra bits is 0(n 1,/3 \X\). 

Proof. We start with the protocol of HU, described in Fig.d in which n = m 3 . 
For each set S £ X, each server computes and stores 3m|A| bits: for every l £ [to] 
it stores the bits © (fl e 2 )eS © (<lA)e S x (iAe 2 , and ©(A. ,e 2 )es x * uh.e- In 

the protocol of m each server has to compute the exclusive-or of the bits of a 
2-dimensional sub-cube for O(m) sub-cubes. Each exclusive-or requires reading 
at most q stored bits, hence the total work per server is 0(mq) = 0(n 1 / 3 g)f] □ 



Each server should be able to efficiently decide which q bits it needs for computing 
each answer bit; otherwise our measurement of work may be inappropriate. 



Reducing the Servers Computation in PIR 



63 



Lemma Cl suggests the following problem: 

The combinatorial Problem. Construct a q-xor basis of J~d of size poly(ro d ) 
such that q is as small as possible. 

It can be shown that the smallest q for which there is a q-xor basis of T,i 
whose size is poly(?n d ) satisfies fl{m/ logm) < q < 0{m d /\og d m). We do not 
know where in this range the minimum q lies. A construction with a smaller q 
than the current upper bound will further reduce the work in PIR protocols. 

3.4 Utilizing PIR Protocols with Logarithmic Query Length 

If we have a PIR protocol with logarithmic query length and sub-linear answer 
length, then it is feasible for the servers to compute and store in advance the an- 
swers to all of the (polynomially many) possible queries. When a server receives 
a query it only needs to read the prepared answer bits. In general, 

Lemma 2. If there is a k-server PIR protocol in which the length of the query 
sent to each server is a and the length of answer of each server is /3, then there 
is a k-server PIR protocol with (3 work per server, a + f3 communication, and 
2“ • (3 extra-bits. 

A 2-server PIR protocol with a = log n and sub-linear (3 is implied by com- 
munication complexity results of mm- The most recent of those, due to Am- 
bainis and Lokam [3J, implies an upper bound of j3 = 7j 0 - 728 "' +o ( 1 )[j We use sim- 
ilar techniques to construct a family of PIR protocols which provides a general 
tradeoff between a and (3. In particular, our construction allows the exponent 
in the polynomial bounding the answer length to get arbitrarily close to 1/2 
while maintaining O(logn) query length. At the heart of the construction is the 
following lemma of Babai, Kimmel, and Lokam ||j. Let A(m,w ) = 0 (™). 

Lemma 3 (|4|). Let p(Y-[ , Y 2 ., . . . , Y rn ) be a degree-d m-variate polynomial over 
GF(2). Let y d , where 1 < h < k and 1 < i < m, be arbitrary km elements of 
GF(2), and yi = Ylh= iVe f or ^ = 1 , ...,m. Suppose that each Sj knows all 
( k — 1 )m bits y^ with h ^ j and the polynomial p, and that the user knows all 
km values y d but does not know p. Then, there exists a communication protocol 
in which each Sj simultaneously sends to the user a single message of length 
A(m , \d/k\), and the user always outputs the correct bit value of p(yi, . . . ,y m )■ 

The key idea in our construction is to apply Lemma 0 where (yi,y 2 , ■ ■ ■ ,ym) 
is a “convenient” encoding of the retrieval index i. Specifically, by using a low- 
weight encoding of i, the data bit Xi can be expressed as a low-degree polynomial 
(depending on x) in the bits of the encoding. By letting the user secret-share the 
encoding of i among the servers in an appropriate manner, Lemma 0 will allow 
the servers to communicate Xi to the user efficiently. Low-weight encodings (over 
larger fields) have been previously used in PIR-related works Ion lll l| . However, 
it is the combination of this encoding with Lemma 0 which gives us the extra 
power. 

7 This immediately implies a protocol with n 0- 728 ---+°( 1 ) communication and work 
and n 1728 - ■+°( 1 ) extra-bits. 

8 A degree-d polynomial is a multi-linear polynomial of (total) degree at most d. 



64 



Amos Beimel, Yuval Ishai, and Tal Malkin 



Theorem 3. Let m and d be positive integers such that A(m , d) > n. Then, for 
any k > 2, there exists a k-server PIR protocol with a = (k — 1 )ro query bits 
and (3 = A{in , \ d/k\) answer bits per server. 

Proof. Assign a distinct length-m binary encoding E(i) to each index i £ [n], 
such that E(i) contains at most d ones. (Such an encoding exists since A(m, d) > 
n.) For each x £ {0, 1}", define a degree-d m-variate polynomial p x over GF(2) 
such that p x (E(i)) = Xi for every i £ [n]0 Specifically, let p x (Yi, ■ . ■ , Y m ) = 
Sr=i x i ' P^(Yi, . . . ,Y m ), where each j/ 1 ' 1 is a fixed degree-d polynomial such 
that pM ( E(i ')) equals 1 if i = i! and equals 0 if i ^ i! . (The polynomials pW can 
be constructed in a straightforward way; details are omitted from this version.) 
The protocol with the specified complexity is described below. The user encodes 
i as the m-bit string y = E{i), and breaks each bit ye, where 1 < l < m, into k 
additive shares yj , . . . , y 1 /’, that is, y \, . . . , y\~ X are chosen uniformly at random 
from GF(2), and y\ is set so that the sum (i.e., exclusive-or) of the k shares is 
equal to ye. The user sends to each Sj the (k — 1 )m shares y'f with h ^ j. The 
query sent to each Sj consists of ( k — 1 )m uniformly random bits, guaranteeing 
the privacy of the protocol. By Lemma 0 each server can send A(m , \ d/k\) bits 
to the user such that the user can reconstruct p x (yi, • ■ ■ , y m ) = x -i- □ 

We note that, by using const ant- weight encodings, Theorem 0 can be used 
to improve the communication complexity of the 2-server protocol from HH 
and its fc-server generalizations from prrai| by constant factors. This and further 
applications of the technique are studied in j7J. For the current application, 
however, we will be most interested in denser encodings, in which the relative 
weight d/m is fixed as some constant 9 , where 0 < 9 < 1/2. In the following 
we rely on the approximation < A[m, [9m\) < 2 H ^ m (cf. [22] 

Theorem 1.4.5]). For A(m , |j? TO J) > ntohold, it is sufficient to let m = (1 /H(9)+ 
o(l)) logn. Substituting the above m and d = \_9rn\ in TheoremO, and applying 
the transformation to PIR with preprocessing described in Lemma, [21 we obtain: 



Theorem 4. For any integer k > 2 and constant 0 < 9 < 1/2, there ex- 
ists a k-server protocol with ( 0 / fc )/^( 0 )+°( 1 ) communication and work, and 

n (k-l+H(e/k))/H(8)+o(l) ex l ra bitg. 

In particular, since H(9/k)/H{9 ) tends to 1/k as 9 tends to 0, we have: 

Theorem 5. For any constants k > 2 and e > 0 there exists a k-server protocol 
with polynomially many extra bits and O (n 1,/fc+e ) communication and work. 

The number of extra bits in the protocols of Theorem El may be quite 
large. By partitioning the database into small blocks, as in Em, it is possi- 
ble to obtain a more general tradeoff between the storage and the communica- 
tion and work. Specifically, by using blocks of size n M , where 0 < y < 1, we 

9 The existence of an encoding E : [n] — > GF(2) m such that Xi can be expressed 
as a degree-d polynomial in the encoding of i easily follows from the fact that the 
space of degr ee-d m-variate polynomials has dimension A(m,d). We use the specific 
low-weight encoding for concreteness. Furthermore, the condition A(m, d) > n is 
essential for the existence of such encoding. 



Reducing the Servers Computation in PIR 



65 



obtain a protocol with n rH(6/k)/H(,8)+(i-k,)+o(i) commun i ca ti on and work and 
n ii(k-i+H(e/k))/H(6)+(i-[i)+o(i) extra bits0 It follows that for any constant e > 0 
there exists a constant d > 0 such that there is a 2-server protocol with 0(n 1+e ) 
extra bits and 0{n 1 ~ e ) communication and work. 

Remark 1. There is a fc-server PIR protocol with one extra bit (which is the 
exlusive-or of all bits in the database), 2 k-\ ' n wor ki and O(n) communication. 
Thus, with 1 extra-bit we can save a constant fraction of the work. In Section ^ 
we show that with a constant number of bits at most a constant fraction of the 
computation can be saved, and if the bit is an exclusive-or of a subset of the 
data bits then the computation is at least n/2. Thus, this protocol illustrates 
that our lower bounds are essentially tight. The protocol will be described in the 
full version of this paper. 



4 Lower Bounds 



We prove that without preprocessing (namely without extra bits), the expected 
number of bits all servers must read is at least n, the size of the database. We 
then prove that if there are e extra bits (e > 1) then the expected number of 
bits all servers must read is J2(n/e). These lower bounds hold for any number of 
servers k, and regardless of the communication complexity of the protocol. 

Note that we only prove that the expectation is big, since there could be 
specific executions where the servers read together less bits El The fact that 
there are executions with small work should be contrasted with single-server 
(computational) PIR protocols without preprocessing, where the server has to 
read the entire database for each query, except with negligible probability: if the 
server does not read X£ in response to some query, it knows that the user is not 
interested in xt, violating the user’s privacy. 

We start with some notation crucial for the lower bound. Fix a PIR protocol, 
and denote the user’s random input by r. Let C C {0, 1}" be a set of strings 
(databases) to be fixed later. Define Bj ( i ) as the set of all indices that server th- 
reads in order to answer the user’s query when the database is chosen uniformly 
from C. Note that the set of bits Bj(i) that Sj reads is a function of the query 
and the values of the bits that the server has already read. Since the query is 
a function of the index and the user’s random input, the set Bj(i ) is a random 
variable of the user’s random input r and the database cGjjC. Next define 



m 



def 



max 

l<i<n 




le\jB 3 (i) 1. 



(1) 



10 In particular, the protocol obtained by letting k = 2, d = 1 — l/\/2, and /i = H{6) 
is very similar (and is slightly superior) to the protocol implied by |3J- 

11 For example, consider the following 2-server protocol (without any extra bits). The 
user with probability i sends i to server <Si, and nothing to server £ 2 , and with 
probability (1 — - ) sends a random j ^ i to Si, and sends [n] to 1 S 2 . Server Sj, upon 
reception of a set Bj, replies with the bits {xt : l £ Bj} to the user. 



66 



Amos Beimel, Yuval Ishai, and Tal Malkin 



That is, for every index i we consider the probability that at least one server 
reads Xt on a query generated for index i , and P(£) is the maximum of these 
probabilities. Furthermore, define the random variable Bj = f Bj( 1) (by Lemma, ^ 
below, the random variable Bj would not change if we choose another index 
instead of 1). Finally, for every £ define P ; (£) = f Pr rc [£ G Bj], that is, the 
probability that xt is read by Sj (again, by Lemma 0 below, this probability is 
the same no matter which index i was used to generate the query). 

4.1 Technical Lemmas 

We start with three lemmas that will be used to establish our lower bounds. 
First note that, by the user’s privacy, the view of Sj, and in particular Bj(i), is 
identically distributed for 1 and for any i. Thus, 

Lemma 4. For every j G {1, . . . , k}, every index i G [n], and every set B C [n], 
Pr r , c [Bj(i) = B] = Pr r , c [Bj = B], 



Lemma 5. For every j G {1, . . . , k} it hold that E rjC [|Hj|] = E™=i PjD- 

Proof. Define the random variables Y\,...,Y n where Yg = 1 if £ G Bj and Y) = 0 
otherwise. Clearly, E rc \Yf\ = Pr [Y) = 1] = P j (£) . Furthermore, \Bj\ = EL i Pg 
T hus, E r , c [| Bj |] = E r ,’ c E” = i Y(\ = E" = i E r,c [Ye] = ELi p lM- □ 

Next we prove that ELi P(^) is a lower bound on the expected number of 
bits the servers read, namely on the expected work for a random database in C. 

Lemma 6. For every i G [n], E rjC Ej=i \Bj{f)\ > E”=i P (L 

Proof. First, for an index £ G [n] let it be an index that maximizes the probability 
in the r.h.s. of m, that is, P(£) = Pr rjC ]£ G (J"_i L (if.) ■ Second, by LemmaEl 

Pj(£) = Pr[£eBj(i e )}. ( 2 ) 

r,c 

Therefore, using the union bound, 



P(£) = Pr 

r,c 



Bj(i t ) < E Pr [e G Bj (**)] = £ p j (£) . (3) 

l=i J i=i ’ l=i 

Third, by Lemma 0 

E r , c [|-Bj('i)|] = E riC [|-Bi|] . (4) 

Thus, by linearity of the expectation, Equation ©, Lemma|31 and Inequality © 



E r 



E 

1=1 



— y } E r ,c [\Bj (i)|] — E! p r,c [\Bj |] 

1=1 1=1 

k / n \ n / k 

=E Ew = E E p .w] a E p w- 



□ 



l=i \e=i 



e=i \i= l 



i= l 



Reducing the Servers Computation in PIR 



67 



We express Lemma EH as a lower bound on the work for a specific database. 

Corollary 1. For every PIR protocol there exists a database c G {0, l} n such 
that for every i G [n\, WORK(i, c) > YHi-i P(^)* 

Proof. By our definitions E r>cGC J2j = i \ B j (*)l =Er,cec i BITSj(c, Qj{i,r)) = 
E c ecWORK(i, c). Thus, by Lemma0 E ce cWORK(i, c) > ^" =x P(f). Therefore, 
there must be some c G C such that WORK(z, c) > P W- 1=1 



Remark 2. In the full version of this paper we prove that the corollary holds 
(up to a negligible difference) even if we replace the perfect privacy of the k- 
server PIR protocol with computational privacy. Thus, all the lower bounds in 
this section hold, up to a negligible difference, for fc-server computational PIR 
protocols as well. 



4.2 Lower Bound without Extra Bits 



We next prove that without extra bits the expected number of bits that the 
servers read is at least n. This lower bound holds for every database. For sim- 
plicity we prove this lower bound for the case that the database is 0 n . The idea 
behind the lower bound is that one cannot obtain the value of xe without reading 
xg, thus for every query the user generates with index £ at least one server must 
read X£. This implies that P(£) = 1 and the lower bound follows Corollary Q 

Theorem 6. For every PIR. protocol without extra bits and for every i G fnl 
WORK(i,O ra ) > n. 



Proof. By Corollary |T| it is enough to prove that P(i') > 1 for every t. (Trivially, 
P(f) < 1). Define C = {0™}, i.e., the probabilities P(£) are defined when the 
value of the database is 0". However, without reading the value of a bit, the 
servers do not know this value. If when the user queries about the £th. bit no 
server reads this bit, then the answers of all the servers are the same for the 
databases 0" and 0 e ~ 1 10 n ~ e , so with this query for one of these databases the 
user errs with probability at least 1/2 in the reconstruction of X£. Thus, by the 
correctness, for any possible query of the user generated with index t, at least 



one of the servers must read X£. Thus, P(£) > Pr r £ G (J 7= i Bj{£) 



= 1 . 



□ 



4.3 Lower Bound with Extra Bits 

In this section we show that a small number of extra bits cannot reduce the 
work too much. The proof uses information theory, and especially properties of 
the entropy function H (see, e.g., H2J). 

To describe the ideas of the proof of the lower bound we first consider a 
special case where each of the e extra bits is an exclusive-or of a subset of the 
bits of the database. That is, there is a system of e linear equations over GF(2) 
that determines the values of the extra bits; the unknowns are the bits of the 



68 



Amos Beimel, Yuval Ishai, and Tal Malkin 



database. This is the case in all our protocols. (Better lower bounds for this case 
are presented in the end of this section.) 

By Corollary Q we need to prove that the probabilities P (£) are big. We fix 
the database to be x = 0 n , therefore the values of the extra bits are fixed to 

0 as well. Assume towards a contradiction that P(£) < l/(e + 1) for at least 
e + 1 indices, which, w.l.o.g., are 1, . . . , e + 1. This implies that for every i, where 

1 < z < e + 1, when the user is retrieving the zth bit, the servers, with positive 
probability, do not read any of the bits Xi, ... , x e+ \. 

Now let x e+ 2 , ■ ■ ■ , x n and all the extra bits be zero. We have established that 
in this case the servers with positive probability do not read the bits xi , . . . , x e +i, 
and the user concludes that X\ = 0, . . . , £ e +i = 0 from the answers of the 
servers. Hence, by the correctness, it must hold that X\ = 0, . . . , cc e -pi = 0. 
But in this case the linear system that determines the extra bits is reduced to 
a system of e homogeneous linear equations over GF(2) where the unknowns 
are the bits xi , . . . , x e +\. Any homogeneous system with e equations and e + 1 
unknowns has a non-trivial solution. Therefore, there is a non-zero database in 
which x e + 2 j . . . , x n and all the extra bits be zero, contradiction since at least one 
bit Xi among xi , . . . , x e +i is not determined by x e + 2 , ■ • ■ , x n and the extra bits. 

The above proof is only the rough idea of the proof of the general case. One 
problem in the general case is that we cannot fix the value of the database, and 
we need more sophisticated methods. 

Theorem 7. For every PIR protocol with e extra bits, there is some database 
c £ {0, l} n such that for every i £ [n], WORK(z, c) > — \ . 

Proof. Since there are e extra bits, there exits a value for these bits that is 
computed for at least 2 n ~ e databases. Fix such a value for the extra bits and let 
C be the set of databases with this value for the extra bits. Thus, \C\ > 2 n ~ e . 
Let C be a random variable distributed uniformly over C, and Ci be the ith bit 
of C. By definition, 

H(C) = log \C\ >n — e. (5) 

We will prove that for all indices, but at most 2e, it holds that P(f?) > l/(4e). 
Thus, the theorem follows from Corollary [□ Without loss of generality, assume 
that P(l) < P(2) < . . . < P(n). We start with a simple analysis of the entropies 
of Ci . First, by properties of conditional entropy, 

2e 

H(C0 = H(Cr ...C n )< H(C 2 e+i . . . C n ) + ^ H(Q|C 2e+1 ...C n ). (6) 

l=i 

Second, since C 2e+ iC 2e+2 . . . C n obtains at most 2" -2e values, 

H(C' 2e +iC' 2e + 2 . . . C n ) < n — 2e. (7) 

Combining |j5l), O, and 0, 

2e 

H(C , ||C 2e +iC 2e _)_ 2 . . . C n ) > H(Ci . . . C n ) — H(C 2e +i . . . C n ) > e. (8) 

i=i 

The next lemma, together with (JED, shows that not too many P(£) are small. 



Reducing the Servers Computation in PIR 



69 



Lemma 7. If P(£) < ^ for every £ £ [2e], then H(Q|C 2 e +i • ■ ■ C n ) < 0.5 for 
every £ £ [2e] . 

Proof. Fix I and consider an experiment where the database c is chosen uni- 
formly from C and the PIR protocol is executed with the user generating a ran- 
dom query for index I. With probability at least half, none of the bits x\, . . . , X 2 e 
are read by any server in this execution (the probability is taken over the random 
input of the user and over the uniform distribution of c € C). Denote by C C C 
the set of all strings in C for which there is a positive probability that none of 
the bits X\,. . . , X2 e is read by any server (this time the probability is taken only 
over the random input of the user). Thus, \C'\ > 0.5 \C\. Since the user always 
reconstructs the correct value of the bit X(, then for every c' £ C the values of 
the bits C 2e> * * • ’ C n determine the value of cy , that is, for every c £ C if 
for every m £ {2e + 1, . . . , n}, then cn = Now, define a random variable Z 
where Z — 1 if the values of the bits C 2 e , . . . , c n determine the value of q and 
Z = 0 otherwise. In particular, Z must be 1 for any string in C . Hence, 



Pr [Z = 1] > 0.5. (9) 

c 

Furthermore, 

H(CV| C 2e +i • • ■ C n Z = 1) = 0. (10) 

On the other hand, since C( obtains at most two values, 

H(Q|C 2e+ i . . . C n Z = 0) < H {Ci) < 1. (11) 

By definition of conditional entropy, 0 : on, and (0 

R(Cl\C2e+l...C n Z) 

= Pr [Z = 0] • H(C,|C 2e+ i • ■ • C n z = 0) + Pr [Z = 1] • H(C,|C 2e+ i ...C n Z= 1) 
<Pr[Z = 0] < 0.5. (12) 

The values of C^e+i, ■ • . , C n determine the value of Z, i.e., H(Z\C 2 e +i ■ ■ ■ C n ) = 
0. Thus, H(Q|C 2e+ i . . . C n ) = R(C e \C 2e +i ■ ■ ■ C n Z ) < 0.5. □ 

Lemma □ and (0 imply that P (£) > l/4e for at least one £ £ {1, . . . ,2e}. 
Since we assume, without loss of generality, that P(l) < P(2) < . . . < P(n), 
then i P(^) 'i S”= 2 e+i P(^) > (n — 2e)/4e, and by Corollary Q] the work of 
servers is as claimed in the theorem. □ 

Better Lower Bounds for Exclusive-or Extra Bits. If each extra bit is 



an exclusive-or of the bits of a subset of the database, then the lower bound 
of Theorem 0 can be improved by a factor of log n, as stated in the following 
theorem (whose proof is omitted). 

Theorem 8. If e < logn, then in every k-server PIR protocol with e exclusive- 
or extra bits the work of the servers is at least (n — 2 e )/2. If logn < e < y/n, 
then in every k-server PIR protocol with e exclusive-or extra bits the work is 
I2(nlogn/e). 

As explained in Remark0 the lower bound for a constant number of extra bits is 
essentially tight, as a matching upper bound protocol with one extra bit exists. 



70 



Amos Beimel, Yuval Ishai, and Tal Malkin 



5 Alternative Approaches for Saving Work 

The PIR with preprocessing model allows to reduce the on-line work in PIR 
protocols. In this section we discuss two alternative approaches for achieving 
the same goal. While both are in a sense more restrictive than our original 
model, in some situations they may be preferred. For instance, they both allow 
to substantially reduce the on-line work in single - server computational PIR, 
which is an important advantage over the solutions of Section 

5.1 Batching Queries 

In the first alternative setting, we allow servers to batch together several queries 
before replying to all of them. By default, no preprocessing is allowed. The main 
performance measures of PIR protocols in this setting are: (1) the amortized 
communication complexity , defined as the average communication per query; (2) 
the amortized work per query; (3) the batch size , i.e., the minimum number of 
queries which should be processed together; and (4) the extra space required 
for storing and manipulating the batched queries. Note that in the case of a 
single user, the trivial PIR solution of communicating the entire database gives 
an optimal tradeoff between the batch size and the amortized work, namely 
their product is However, this solution provides a poor tradeoff between 
the amortized communication and the batch size (their product is n). Moreover, 
as in the remainder of this paper, we are primarily interested in the general 
situation where different queries may originate from different users 0 

Our main tool for decreasing the amortized work is a reduction to matrix 
multiplication. The savings achieved by the state-of-the-art matrix multiplica- 
tion algorithms can be translated into savings in the amortized work of the 
PIR protocols. To illustrate the technique, consider the 2-server PIR protocol 
described in Fig. [TJ In a single invocation of this protocol, each server has to 
compute the exclusive-or of O (n 1 / 3 ) two-dimensional sub-cubes. Each such com- 
putation can be expressed as evaluating a product (over GF(2)) of the form a t Xb, 
where a and b are vectors in GF(2) n determined by the user’s query, and X is 
an n 1 / 3 x n 1 / 3 matrix determined by the database x. It follows that the answers 
to n 1 / 3 queries can be computed by evaluating O^n 1 ^ 3 ) matrix products of the 
form A- X ■ B, where the j - th row of A and the j-th column of B are determined 
by the j-th query. The communication complexity of the protocol is 0(n 1 ^ 3 ) per 
query, and its space and time requirements depend on the matrix multiplication 
algorithm being employed. Letting to denote the exponent of matrix multipli- 
cation (Coppersmith and Winograd m prove that w < 2.376), the amortized 
work can be as low as (^(n 1 / 3 ^/ 3 ) /n 1 / 3 = 0(n w ^ 3 ), with batch size n 1 / 3 . 

Finally, we note that the same approach can also be employed towards re- 
ducing the amortized work in computational single-server PIR protocols, when 
batching queries of users who share the same key. In the protocols from 11201241271 . 
which utilize homomorphic encryption, the server’s computation on multiple 

12 This is optimal by the lower bound of Theorem El 

13 In this setting, the amortized communication complexity cannot be smaller than 
the communication complexity of a corresponding (single-query) PIR protocol. 



Reducing the Servers Computation in PIR 



71 



queries can be reduced to evaluating several matrix products. In each product 
one matrix depends on the queries and is given in an encrypted form (using a 
key held by the user) and the other depends on the database and is given in a 
plain form. Now, by the definition of homomorphic encryption, an encryption 
of the sum of two encrypted values and an encryption of the product of an en- 
crypted value with a non-encrypted value are both easy to compute. It turns out 
that these two operations are sufficient for implementing a fast matrix multipli- 
cation algorithm where one of the matrices is given in an encrypted form and 
the output may be encrypted as well. It follows (e.g., by modifying the protocol 
from PD!) that for any constant e > 0 there is a constant e' > 0, such that there 
exists a single-server PIR protocol with 0(n e ) batch size, 0(n e ) communication, 
0(n 1 ~ e ) amortized work, and sub-linear extra space. 

5.2 Off-Line Interaction 

In the PIR with preprocessing model, a single off-line computational effort can 
reduce the on-line work in each of an unlimited number of future queries. It is 
natural to ask whether the on-line work can be further reduced if a separate off- 
line procedure is applied for each query. More precisely, we allow the user and 
the servers to engage in an off-line protocol, involving both communication and 
computation, so as to minimize the total on-line work associated with answering 
a single future query. (The off-line protocol may be repeated an arbitrary number 
of times, allowing to efficiently process many on-line queries.) During the off- 
line stage, the database x is known to the servers but the retrieval index i is 
unknown to the user. The goal is to obtain protocols with a small on-line work 
and “reasonable” off-line workQ 

Towards achieving the above goal we extend an idea from HU. Given any k- 
server PIR protocol (fc > 1) in which the user sends a query bits to each server 
and receives (3 bits in return, Di-Crescenzo et al. M show how to construct 
another fc-server protocol where: (1) in the off-line stage the user sends a bits 
to each server and receives nothing in return; (2) in the on-line stage the user 
sends log n bits to each server and receives (3 bits in return. Since there are only 
n possible on-line queries made by the user, the servers can pre-compute the 
answers to each of these queries. Thus, with j3n storage, O(a) off-line communi- 
cation and polynomial off-line computation, the on-line work is reduced to 0((3). 
Fortunately, most known PIR protocols admit variants in which the answer com- 
plexity (3 is very small, as small as a single bit in the multi-server case, while a 
is still sub-linear (see PU for a detailed account). For instance, in the 2-server 

computational PIR protocol of Chor and Gilboa HOI, a = 2°(\ /i °s") and (3 = 1. 
Furthermore, by utilizing the structure of specific PIR protocols (including the 
one from mi). the off-line computation of each server may be reduced to mul- 
tiplying a length-n data vector by an n x n Toeplitz matrix determined by the 
user’s query. Thus, using the FFT algorithm, the total off-line computation can 
be made very close to linear. 

14 This may be compared to the approach of Gertner et al. T3, where instead of 
shifting most computation to a “more reasonable place” (special purpose servers), 
here we shift most computation to a “more reasonable time” (the off-line stage). 



72 



Amos Beimel, Yuval Ishai, and Tal Malkin 



6 Open Problems 

We have shown that using preprocessing in PIR protocols one can obtain poly- 
nomial savings in the amount of computation without severely affecting the 
communication complexity. However, this work only initiates the study on PIR 
with preprocessing, and there are many open problems for further research. The 
obvious open problem is if more substantial savings are possible: 

How much can the work be reduced using polynomially many extra bits? 
How much can be saved using linearly many extra bits? 

All the solutions provided in this work (with the exception of Section 0 are 
multi-server, information-theoretic PIR protocols. It is therefore natural to ask: 

Can preprocessing substantially save work in single-server PIR protocols? 

Acknowledgments. We thank Oded Goldreich for suggesting the question of 
preprocessing in PIR protocols. Part of the work of Amos Beimel was done 
while in Harvard University, supported by grants ONR-N00014-96-1-0550 and 
ARO-DAAL03-92-G0115. 

References 

1. W. Aiello, S. Bhatt, R. Ostrovsky, and S. Rajagopalan. Fast Verification of Any 
Remote Procedure Call: Short Witness-Indistinguishable One-Round Proofs for 
NP. In ICALP 2000. 

2. A. Ambainis. Upper bound on the communication complexity of private informa- 
tion retrieval. In 24th ICALP, volume 1256 of LNCS , pages 401-407, 1997. 

3. A. Ambainis and S. Lokam. Improved upper bounds on the simultaneous messages 
complexity of the generalized addressing function. In LATIN 2000. 

4. L. Babai, P. Kimmel, and S. Lokam. Simultaneous messages vs. communication. 
In 12th STACS, volume 900 of LNCS, pages 361-372, 1995. 

5. D. Beaver and J. Feigenbaum. Hiding instances in multioracle queries. In 7th 
STACS, volume 415 of LNCS, pages 37-48. Springer- Verlag, 1990. 

6. D. Beaver, J. Feigenbaum, J. Kilian, and P. Rogaway. Locally random reductions: 
Improvements and applications. J. of Cryptology, 10:17-36, 1997. Early version: 
Security with small communication overhead, CRYPTO ’90. 

7. A. Beimel and Y. Ishai. On private information retrieval and low-degree polyno- 
mials. Manuscript, 2000. 

8. A. Beimel, Y. Ishai, E. Kushilevitz, and T. Malkin. One-way functions are essential 
for single-server private information retrieval. In 31th STOC, pages 89-98, 1999. 

9. C. Cachin, S. Micali, and M. Stadler. Computationally private information retrieval 
with polylogarithmic communication. In EUROCRYPT ’99, volume 1592 of LNCS, 
pages 402-414. Springer, 1999. 

10. B. Chor and N. Gilboa. Computationally private information retrieval. In 29th 
STOC, pages 304-313, 1997. 

11. B. Chor, O. Goldreich, E. Kushilevitz, and M. Sudan. Private information retrieval. 
In 36th FOCS, pages 41-51, 1995. Journal version: JACM, 45:965-981, 1998. 

12. T. M. Cover and J. A. Thomas. Elements of Information Theory. John Wiley & 
Sons, 1991. 



Reducing the Servers Computation in PIR 



73 



13. D. Coppersmith and S. Winograd. Matrix multiplication via arithmetic progres- 
sions. J. Symbolic Comput., 9:251-280, 1990. 

14. G. Di-Crescenzo, Y. Ishai, and R. Ostrovsky. Universal service-providers for 
database private information retrieval. In 17th PODC, pages 91 100, 1998. 

15. G. Di-Crescenzo, T. Malkin, and R. Ostrovsky. Single-database private information 
retrieval implies oblivious transfer. In EUROCRYPT 2000, volume 1807 of LNCS, 
pages 122 -138, 2000. 

16. Y. Dodis. Space-Time Tradeoffs for Graph Properties. Master’s thesis, Mas- 
sachusetts Institute of Technology, 1998. 

17. Y. Gertner, S. Goldwasser, and T. Malkin. A random server model for private 
information retrieval. In RANDOM ’98, 2nd Workshop on Randomization and 
Approximation Techniques in CS, vol. 1518 of LNCS, pages 200-217. 1998. 

18. Y. Gertner, Y. Ishai, E. Kushilevitz, and T. Malkin. Protecting data privacy in 
private information retrieval schemes. In 30th STOC, pages 151- 160, 1998. 

19. Y. Ishai and E. Kushilevitz. Improved upper bounds on information theoretic 
private information retrieval. In 31th STOC, pages 79 - 88, 1999. 

20. E. Kushilevitz and R. Ostrovsky. Replication is not needed: Single database, 
computationally-private information retrieval. In 38th FOCS, pages 364-373, 1997. 

21. E. Kushilevitz and R. Ostrovsky. One-way trapdoor permutations are sufficient 
for non-trivial single-server private information retrieval. In EUROCRYPT 2000, 
volume 1807 of LNCS, pages 104-121, 2000. 

22. .1. H. van Lint. Introduction to Coding Theory. Springer- Verlag, 1982. 

23. T. Malkin. A Study of Secure Database Access and General Two-Party Computa- 
tion. PhD thesis, MIT, 2000. http://theory.lcs.mit.edu/~cis/cis-theses.html . 

24. E. Mann. Private access to distributed information. Master’s thesis, Technion - 
Israel Institute of Technology, Haifa, 1998. 

25. R. Ostrovsky and V. Shoup. Private information storage. In 29th STOC, pages 
294-303, 1997. 

26. P. Pudlak and V. Rodl. Modified Ranks of Tensors and the Size of Circuits. In 
25th STOC, pages 523-531, 1993. 

27. J. P. Stern. A new and efficient all-or-nothing disclosure of secrets protocol. In 
ASIACRYPT ’98, volume 1514 of LNCS, pages 357-371. Springer, 1998. 

28. A.C. Yao. Should tables be sorted? JACM, 28:615-628, 1981. 




® g 



Parallel Reducibility for 
Information-Theoretically Secure Computation 



Yevgeniy Dodis 1 and Silvio Micali 1 

Laboratory for Computer Science, Massachusetts Institute of Technology, USA. 
{yevgen, silvio}@theory . lcs .mit . edu 



Abstract. Secure Function Evaluation (SFE) protocols are very hard to 
design, and reducibility has been recognized as a highly desirable property 
of SFE protocols. Informally speaking, reducibility (sometimes called 
modular composition) is the automatic ability to break up the design 
of complex SFE protocols into several simpler, individually secure com- 
ponents. Despite much effort, only the most basic type of reducibility, 
sequential reducibility (where only a single sub-protocol can be run at 
a time), has been considered and proven to hold for a specific class of 
SFE protocols. Unfortunately, sequential reducibility does not allow one 
to save on the number of rounds (often the most expensive resource in 
a distributed setting), and achieving more general notions is not easy 
(indeed, certain SFE notions provably enjoy sequential reducibility, but 
fail to enjoy more general ones). 

In this paper, for information-theoretic SFE protocols, we 

• Formalize the notion of parallel reducibility, where sub-protocols can 
be run at the same time; 

• Clarify that there are two distinct forms of parallel reducibility: 

* Concurrent reducibility, which applies when the order of the sub- 
protocol calls is not important (and which reduces the round 
complexity dramatically as compared to sequential reducibility) ; 
and 

* Synchronous reducibility, which applies when the sub-protocols 
must be executed simultaneously (and which allows modular 
design in settings where sequential reducibility does not even 
apply). 

• Show that a large class of SFE protocols (i.e., those satisfying a slight 
modification of the original definition of Micali and Rogaway ESI) 
provably enjoy (both forms of) parallel reducibility. 



1 Introduction 

The objective of this paper is to understand, define, and prove the implementabil- 
ity of the notion of parallel reducibility for information-theoretically secure multi- 
party computation. Let us start by discussing the relevant concepts. 

Bellare (Ed.): CRYPTO 2000, LNCS 1880, pp. 74-1921 2000. 

Springer- Verlag Berlin Heidelberg 2000 



Parallel Reducibility for Information-Theoretically Secure Computation 



75 



SFE Protocols. A secure function evaluation (SFE) is a communication pro- 
tocol enabling a network of players (say, having a specified threshold of honest 
players) to compute a (probabilistic) function in a way that is as correct and 
as private as if an uncorruptable third party had carried out the computation 
on the players’ behalf. SFE protocols were introduced by Goldreich, Micali and 
Wigderson in a computational setting (where the parties are computation- 
ally bounded, but can observe all communication), and by Ben-Or, Goldwasser 
and Wigderson |3J and Chaum, Crepeau and Damgard [7] in an information- 
theoretic setting (where the security is unconditional, and is achieved by means 
of private channel 43). We focus on the latter setting. 

SFE Definitions. Together with better SFE protocols, increasingly precise def- 
initions for information-theoretic SFE have been proposed; in particular, those of 
Beaver [2] , Goldwasser and Levin m , Canetti 0 , and Micali and Rogaway ESI 
At a high-level, these definitions express that whatever an adversary can do in 
the real model (i.e., in the running of the actual protocol, where no trusted party 
exists) equals what an adversary can do in the ideal model (i.e., when players 
give their inputs to the trusted third party, who then computes the function for 
them) . This more or less means that the most harm the adversary can do in the 
real model consists of changing the inputs of the faulty players (but not based 
on the inputs of the honest players!), and then running the protocol honestly. 

All these prior definitions are adequate, in the sense that they (1) reasonably 
capture the desired intuition of SFE, and (2) provide for the existence of SFE 
protocols (in particular, the general protocol of |Q satisfies all of them). Were 
properties (1) and (2) all one cared about, then the most “liberal” definition of 
SFE might be preferable, because it would allow a greater number of reasonable 
protocols to be called secure. However, if one cared about satisfying additional 
properties, such as reducibility (i.e., as discussed below, the ability of designing 
SFE protocols in a modular fashion) , then more stringent notions of SFE would 
be needed. 

Reducibility and Sequential Reducibility. Assume that we have designed 
a SFE protocol, F, for a function / in a so called semi-ideal model, where one 
can use a trusted party to evaluate some other functions g 1 , . . . , g k . Assume also 
that we have designed a SFE protocol, Gi, for each function g l . The reducibility 
property says that, by substituting the ideal calls to the g l, s in F with the 
corresponding SFE protocols G,’s, we are guaranteed to obtain a SFE protocol 
for / in the real model. 

Clearly, reducibility is quite a fundamental and desirable property to have, 
because it allows one to break the task of designing a secure protocol for a com- 
plex function into the task of designing secure protocols for simpler functions. 
Reducibility, however, is not trivial to satisfy. After considerable effort, only the 
the most basic notion of reducibility, sequential reducibility , has been proved 

1 This means that every pair of players has a dedicated channel for communication, 
which the adversary can listen to only by corrupting one of the players. 



76 



Yevgeniy Dodis and Silvio Micali 



to hold for some SFE notions: those of |5J and ESI- Informally, sequential re- 
ducibility guarantees that substituting the ideal calls to the g 1 ' s in F with the 
corresponding Gf s yields a SFE protocol for / in the real model only if a single 
Gi is executed (in its entirety!) at a timeQ Therefore, sequential reducibility is 
not general enough to handle protocols like the expected 0(l)-round Byzantine 
agreement protocol of m (which relies on the concurrent execution of n 2 specific 
SFE protocols) whose security, up to now, must be proven “from scratch” . 



1.1 Our Results 

In this paper, we put forward the notion of parallel reducibility and show which 
kinds of SFE protocols satisfy it. We actually distinguish two forms of parallel 
reducibility: 

• Concurrent reducibility. 

This type of reducibility applies when, in the semi-ideal model, the g 1 , . . . , g k 
can be executed in any order. The goal of concurrent reducibility is improving 
the round- complexity of modularly designed SFE protocols. 

• Synchronous reducibility. 

This type of reducibility applies when, in the semi-ideal model, the g 1 , . . . , g k 
must be executed “simultaneously.” The goal of synchronous reducibility is 
enlarging the class of modularly designed SFE protocols (while being round- 
efficient as well). 



Concurrent Reducibility. There are many ways to schedule the execution of 
several programs Gi , . . . , Gk ■ Each such way is called an interleaving. The fc! 
sequential executions of Gi, . . . , Gk are examples of interleavings. But they are 
very special and “very few,” because interleavings may occur at a round-level. 
For instance, we could execute the Gfs one round at a time in a round-robin 
manner, or we could simultaneously execute, in single round r, the r-th round (if 
any) of all the Gfs. Saying that programs Gi, . . . , Gfc are concurrently executable , 
relative to some specified goal, means that this goal is achieved for all of their 
interleavings. 

Assume now that a function / is securely evaluated by a semi-ideal protocol 
F which, in a set of contiguous instructions, only makes ideal calls to functions 
g 1 ,...,g k , and let Gi be a SFE protocol for g l (in the real model). Then, a 
fundamental question arise: 

Will substituting each g l with Gi yield a (real-model) SFE 
protocol for f in which the Gi ’s are concurrently executable ? 

Let us elaborate on this question. Assume, for instance, that F calls g 2 on inputs 
that include an output of g 1 . Then we clearly cannot hope that the Gf s are 

2 This is true even if, within F, one could “ideally evaluate” all or many of the g l, s 
“in parallel.” 



Parallel Reducibility for Information-Theoretically Secure Computation 



77 



concurrently executable. Thus, to make sense of the question, all the inputs to 
the g 1 ' s should be determined before any of them is ideally evaluated. Moreover, 
even if all the g 1 ' s are evaluated on completely unrelated and “independent” 
inputs, F may be secure only for some orders of the g % ' s, but not for others, 
which is illustrated by the following example. 

Example 1: Let / be the coin-flipping function (that takes no inputs and outputs 
a joint random bit), let g 1 be the coin-flipping function as well, and let g 2 be 
the majority function on n bits. Let now F be the following semi-ideal protocol. 
Each player Pj locally flips a random bit bj. Then the players “concurrently” 
use ideal calls to g 1 and g 2 (bi , . . . , b n ), getting answers r and c respectively. The 
common output of F is r © c. We claim that F is secure if we first call g 2 (the 
majority) and then g 1 (the coin-flip), but insecure if we do it the other way 
around. Indeed, irrespective of which c we get in the first ordering, since r is 
random (and independent of c), then so is r ® c. On the other hand, assume we 
first learn the random bit r and assume faulty players want to bias the result- 
ing coin- flip towards 0. Then the faulty players pretend that their (supposedly 
random) inputs bj for the majority are all equal to r. Provided there are enough 
faulty players, this strategy will bias the outcome c of g 2 (the majority) towards 
r, and thus the output of F towards 0. 

Clearly, in the case of the above example, we cannot hope to execute the 
Gi’s concurrently: one of the possible interleavings is the one that sequentially 
executes the Gj’s in the order that is insecure even in the semi-ideal model. 
Thus, the example illustrates that the following condition is necessary for the 
concurrent execution of the Gj’s. 

Condition 1: F is secure in the semi-ideal model for any order of the g 1 ' s. 

Is this necessary condition also sufficient? Of course, the answer also depends 
on the type of SFE notion we are using. But, if the answer were YES, then we 
would get the “strongest possible form of concurrent reducibility.” Let us then 
be optimistic and put forward the following informal definition. 

Definition 1: We say that a SFE notion satisfies concurrent reducibility if, 
whenever the protocols F,Gi, . . . ,Gk satisfy this SFE notion, Condition 1 
is (both necessary and) sufficient for the concurrent execution of the Gj’s 
inside F (in the real model). 

Our optimism is justified in view of the following 

Theorem 1: A slight modification of the SFE notion of Micali and Rog- 
away pa satisfies concurrent reducibility. 

We note that the SFE notion of Micali and Rogaway is the strictest one proposed 
so far, and that we have been unable to prove analogous theorems for all other, 
more liberal notions of SFE. We conjecture that no such analogous theorems 
exist for those latter notions. In support of our conjecture, we shall point out in 



78 



Yevgeniy Dodis and Silvio Micali 



Section 14. 31 the strict properties of the definition of ESI that seem to be essential 
in establishing Theorem 1. 

We remark that concurrent reducibility is important because it implies sig- 
nificant efficiency gains in the round-complexity (often the most expensive re- 
source) of modularly designed SFE protocols. This is expressed by the following 
immediate Corollary of Definition 1. 

Corollary 1: Assume that F,g 1 ,...,g k satisfy Condition 1, that Gi is a 
protocol for g l taking Ri rounds, and that F,Gi, . . . ,Gk are SFE proto- 
cols according to a SFE notion satisfying concurrent reducibility. Then, 
there is a (real model) SFE implementation of F executing all the Gi s 
in max(i?i, . . . , Rk) rounds. 

This number of rounds is the smallest one can hope for, and should be contrasted 
with i?i + • • • + Rk j the number of rounds required by sequential reducibility. 

Synchronous Reducibility. The need to execute several protocols in parallel 
does not necessarily arise from efficiency considerations or from the fact that it 
is nice not to worry about the order of the execution. A special type of parallel 
execution, synchronous execution , is needed for correctness itself. 

Example 2: Let / be the two-player coin-flipping function that returns a random 
bit to the first two players, P\ and P 2 , of a possibly larger network. That is, 
/(A, A, A, . . . , A) = (ir, x, A, ... , A), where x is a random bit (and A is the empty 
string) . Consider now the following protocol F : player P\ randomly and secretly 
selects a bit aq, player P 2 randomly and secretly selects a bit x 2 , and then P 1 
and P 2 “exchange” their selected bits and both output x = aq ® x 2 . 

Clearly, F is a secure function evaluation of / only if the exchange of x\ and 
x 2 is “simultaneous”, that is, whenever P\ learns x 2 only after it declares aq, and 
vice versa. This requirement can be modeled as the parallel composition of two 
sending protocols: g 1 (x 1 , A, A, . . . , A) = (aq, aq, A, . . . , A) and g 2 ( A, x 2 , A, . . . , A) = 
(aq, x 2 , A, . . . , A). That is, we can envisage a semi-ideal protocol in which players 
P± and P 2 locally flip coins aq and aq, then simultaneously evaluate g 1 and g 2 , 
and finally exclusive OR their outputs of g 1 and g 2 . However, no sequential order 
of the ideal calls to g 1 and g 2 would result in a secure two-player coin-flipping 
protocol. This example motivates the introduction of a special type of parallel 
composition (for security rather than efficiency considerations). 

The ability to evaluate several functions synchronously is very natural to de- 
fine in the ideal model: the players simultaneously give all their inputs to the 
trusted party, who then gives them all the outputs (i.e., no output is given be- 
fore all inputs are presented). We can also naturally define the corresponding 
semi-ideal model, where the players can ideally and simultaneously (i.e., within 
a single round) evaluate several functions. Assume now that we have a semi- 
ideal protocol F for some function / which simultaneously evaluates functions 
g 1 , . . . , g k , and let Gi be a secure protocol for g l . Given an interleaving I of 
the Gi s, we let F 1 denote the (real-model) protocol where we substitute the 



Parallel Reducibility for Information-Theoretically Secure Computation 



79 



single ideal call to g 1 , . . . ,g k with k real executions of the protocols Gi inter- 
leaved according to I. As apparent from Example 2, we cannot hope that every 
interleaving I will be “good,” that is, will yield a SFE protocol F 1 for /. (For 
instance, in the semi-ideal coin-flipping protocol F of Example 2, no matter how 
we design SFE protocols G\ and G 2 for g 1 and g 2 , any sequential interleaving 
of G\ and G 2 yields an insecure protocol.) Actually, the guaranteed existence of 
even a single good interleaving cannot be taken for granted, therefore: 

Can we be guaranteed that there is always an interleaving I 
of Gi , . . . , Gk such that F 1 is a SFE protocol for f? 

Of course, the answer to the above question should depend on the notion of SFE 
we are using. This leads us to the following informal definition. 

Definition 2: We say that a SFE notion satisfies synchronous reducibility 
if, whenever the protocols F, Gi, . . . ,Gk satisfy this SFE notion, there exists 
an interleaving I such that F 1 is a SFE protocol under this notion. 

Example 2 not only shows that there are bad interleavings, but also that a 
“liberal” enough definition of SFE will not satisfy synchronous reducibility. In 
particular, 

Lemma 2: The SFE notions of do not support synchronous re- 

ducibility. 

Indeed, according to the SFE notions of 0EEH, the protocol G\ consisting of 
player P\ sending x\ to player P 2 is a secure protocol for g l . Similarly, the 
protocol G 2 consisting of player P 2 sending X 2 to player Pi is a secure protocol 
for g 2 . However, there is no interleaving of G\ and G 2 that will result in a secure 
coin-flip. This is because the last player to send its bit (which includes the case 
when the players exchange their bits in one round, due to the “rushing” ability 
of the adversary; see Section O is completely controlling the outcome. 

On the positive side, we show|j 

Theorem 2: A slight modification of the SFE notion of Micali and Rog- 
away m satisfies synchronous reducibility. 

Theorem 2 actually has quite a constructive form. Namely, the nature of the 
definition in ca not only guarantees that “good” interleavings I always exist, 
but also that there are many of them, that they are easy to find, and that 
some of them produce efficient protocols. We summarize the last property in the 
following corollary. 

Corollary 2: With respect to a slightly modified definition of SFE of Micali 
and Rogaway m let F be an ideal protocol for / that simultaneously calls 
functions g 1 , . . . ,g k , and let Gi be an F t -round SFE protocol for g l . Then 
there exists (an easy to find) interleaving / of the Gfs, consisting of at most 
2 ■ max(R 1 , . . . ,Rk) rounds, such that F 1 is a SFE protocol for /. 

3 As is illustrated in Section o the above “natural” protocols Gi and G 2 are indeed 
insecure according to the definition of EH- 



80 



Yevgeniy Dodis and Silvio Micali 



In other words, irrespective of the number of sub-protocols, we can synchronously 
interleave them using at most twice as many rounds as the longest of them takesQ 
Let us remark that, unlike Corollary 1 (that simply follows from the definition 
of concurrent reducibility) , Corollary 2 crucially depends on the very notion of 
m , as is discussed more in Section IT3l 

In Sum. We have (1) clarified the notion of parallel reducibility, (2) distilled 
two important flavors of it, (3) modified slightly the SFE notion of Micali and 
Rogaway, and (4) showed that there exist SFE notions (e.g., the modified notion 
of P2J) as well as general SFE protocols (e.g., the one of 0) that satisfy (both 
forms of) parallel reducibility. 

Enjoying (both forms of) parallel reducibility do not necessarily imply that 
the definition of H3 is “preferable” to others. If the protocol one is designing 
is simple enough or is unlikely to be composed in parallel with other protocols, 
other definitions are equally adequate (and may actually be simpler to use). 
However, understanding which SFE notions enjoy parallel reducibility is crucial 
in order to simplify the complex task of designing secure computation protocols. 

2 The (Modified) Micali-Rogaway Definition of SFE 

Consider a probabilistic function /(x,r) = (/i(x, r), . . . , /„(x, r)) (where x = 
(xi, . . . , x n )). We wish to define a protocol F for computing / that is secure 
against any adversary A that is allowed to corrupt in a dynamic fashion up to t 
(out of n) players 0 

2.1 Protocols and Adversaries 

Protocol: An n-party protocol F is a tuple (F, LR , CR ,1, 0 , /, t) where 

• F is a collection of n interactive probabilistic Turing machines that interact 
in synchronous rounds. 

• LR — the last round of F (a fixed integer, for simplicity). 

• CR — the committal round (a fixed integer, for simplicity). 

• L — the effective-input function, a function from strings to strings. 

• O — the effective- output function, a function from strings to strings. 

• / — a probabilistic function (which F is supposed to compute). 

• t — a positive integer less than n (a bound on the number of players that 
may be corrupted). 

4 We note that the factor of 2 is typically too pessimistic. As it will be clear from the 
precise statement of synchronous reducibility in SectionEl natural protocols Gi (like 
the ones designed using a general paradigm of 0) can be synchronously interleaved 
in max(f?i, . . . , Rk) rounds. 

5 More generally, one can have an adversary that can corrupt only certain “allowable” 
subsets of players. The collection of these allowable subsets is usually called the 
adversary structure. For simplicity purposes only, we consider threshold adversary 
structures, i.e. the ones containing all subsets of cardinality t or less. We call any 
such adversary t-restricted. 



Parallel Reducibility for Information-Theoretically Secure Computation 



81 



Adversary: An adversary A is a probabilistic algorithm. 

Executing F and A: Adversary A interacts with protocol F as a traditional 
adaptive adversary in the rushing model. Roughly, this is explained below. 

The execution of F with an adversary A proceeds as follows. Initially, each 
player j has an input Xj (for /) and an auxiliary input aj, while A has an 
auxiliary input a. (Auxiliary inputs represent any a-priori information known 
to the corresponding party like the history of previous protocol executions. An 
honest player j should ignore aj, but aj might be useful later to the adversary.) 
At any point during the execution of F, A is allowed to corrupt some player j 
(as long as A corrupts no more than t players overall). By doing so, A learns 
the entire view of j (i.e., Xj, aj, j’s random tape, and all the messages sent and 
received by j ) up to this point input. From now on, A can completely control 
the behavior of j and thus make j deviate from F in any malicious way. At the 
beginning of each round, A first learns all the messages sent from currently good 
players to the corrupted ones0 Then A can adaptively corrupt several players, 
and only then does he send the messages from bad players to good ones. Without 
loss of generality, A never sends a message from a bad player to another bad 
player. 

At the end of F, the view of A, denoted View(A, F ) consists of a, A’s random 
coins and the views of all the corrupted players. The traffic of a player j up to 
round R consists of all the messages received and sent by j up to round R. Such 
traffic is denoted traffiCj(R) (or by trafE.Cj(R, F[A]) whenever we wish to stress 
the protocol and the adversary executing with it) . 

Effective Inputs and Outputs of a Real Execution: In an execution of 
F with A, the effective input of player j (whether good or bad), denoted x F , is 
determined at the committal round CR by evaluating the effective-input function 
1 on j’s traffic at round CR: x F = I(trafEcj(CR, F[A])). The effective output 
of player j, denoted y F , is determined from j’s traffic at the last round LR via 
the effective output function O: y F = O (traffic j(LR, F[A])). Note that, for now, 
the effective inputs x F and outputs y F are unrelated to computing /. 

History of a Real Execution: We let the history of a real execution, denoted 
History(A, F), to be (View(A, F), x F , y F ). Intuitively, the history contains all 
the relevant information of what happened when A attacked the protocol F: the 
view of A, i.e. what he “learned” , and the effective inputs and outputs of all the 
players. 



2.2 Simulators and Adversaries 

Simulator: A simulator is a probabilistic, oracle-calling, algorithm S. 

6 We can even let the adversary schedule the delivery of good-to-bad messages and let 
him adaptively corrupt a new player in the middle of this process. For simplicity, we 
stick to our version. 



82 



Yevgeniy Dodis and Silvio Micali 



Executing S with A: Let A be an adversary for a protocol F for function 
/. In an execution of S with A , there are no real players and there is no real 
network. Instead, S interacts with A in a round-by-round fashion, playing the 
role of all currently good players in an execution of A with the real network, 
i.e. : (1) (makes up and) sends to A a view of a player j immediately after A 
corrupts j,( 2) sends to A the messages of currently good players to currently 
bad player^jj and (3) receives the messages sent by A (on behalf of the corrupted 
players) to currently good players. In performing these tasks, S makes use of the 
following oracle 0(x,aJJ 

• Before CR. When a player j is corrupted by A before the committal round, 
O immediately sends S the input values Xj and aj. In particular, S uses 
these values in making up the view of j . 

• At CR. At the end of the committal round CR , S sends O the value 
Xj = X(trafBcj(CR')) for each corrupted player j@In response, O randomly 
selects a string r, sets Xj = Xj for all currently good players j, computes 
y s = f(x s ,r), and for each corrupted player j sends yf back to S. 

• After CR. When a player j is corrupted by A after the committal round, O 
immediately sends S the input values x 3 and a 3 , as well as the computed 
value y 3 . In particular, S uses these values in making up the view of j. 

We denote by View(A, S) the view of A when interacting with S (using O). 

Effective Inputs and Outputs of a Simulated Execution: Consider an 
execution of S (using oracle 0(x,a)) with an adversary A. Then, the effective 
inputs of this execution consist of the above defined values x s . Namely, if a 
player j is corrupted before the committal round CR , then its effective input 
is Xj = X(tra.fRcj(CR, S[A))); otherwise (j is never corrupted, or is corrupted 
after the committal round) its effective input is Xj = Xj. The effective outputs 
are the values y s defined above. Namely, y s = f(x. s ,r), where r is the random 
string chosen by O right after the committal round. 

History of a Simulated Execution: We let the history of a simulated execu- 
tion , denoted History{A , S), to be {View (A, S ), x 5 , y s ). Intuitively, the history 
contains all the relevant information of what happened when A was communi- 
cating with S (and O): the view of A, i.e. what he “learned”, and the effective 
inputs and outputs of all the players. 



7 Notice that S does not (and cannot) produce the messages from good players to 
good players. 

8 Such oracle is meant to represent the trusted party in an ideal evaluation of /. Given 
this oracle, S ’ s goal is making A believe that it is executing F in a real network in 
which the players have inputs x and auxiliary inputs a. 

9 Here trafBcj(R) = trafRcj(R, S'fA]) of a corrupted player j denotes what A “thinks” 
the traffic of j after round R is. 



Parallel Reducibility for Information-Theoretically Secure Computation 



83 



2.3 Secure Computation 

Definition 3: An n-party protocol F is a SFE protocol for a probabilistic n- 
input / n-output function /(x,r), if there exists a simulator S such that for any 
input x = (xi, . . . , x n ), auxiliary input a = (ai, . . . , a n ), and any adversary A 
with some auxiliary input a, the histories of the real and the simulated executions 
are identically distributed: 

History(A , F) = History (A, S ) (1) 

Equivalently, {View (A, F), x F , y F ) = {View{A, S), x s , y s ). 

2.4 Remarks 

Let us provide a minimal discussion of the above definition of SFE. 

Simulators and Oracles vs. Ideal Adversaries. A standard benchmark 
in determining if a SFE notion is “reasonable” is the fact that for every real 
adversary A there exists an “ideal adversary” A! that can produce (in the ideal 
model with the trusted party) the same view as A got from the real network 0 
We argue that the existence of a simulator S in Definition 3 indeed implies the 
existence of such an adversary A' . A' simply runs A against the simulator S'. If A 
corrupts a player j before the committal round, A 1 corrupts j in the ideal model, 
and gives the values Xj and a :j (that it just learned) to S on behalf of the oracle O. 
Right after the committal round of F has been simulated by S, A! computes from 
the traffic of A the effective inputs Xj of currently corrupted players j, hands 
them to the trusted party, and returns the outputs of the corrupted players to 
S on behalf of O. Finally, if A corrupts a player j after the committal round, 
A! corrupts j in the ideal model, and gives the values Xj, cij and the output of 
j (that it just learned) to S on behalf of the oracle O. At the end, A! simply 
outputs the resulting view of A in the simulation 

We notice, however, that the “equivalent” ideal adversary A' implied by our 
definition is much more special than the possible ideal adversary envisaged by 
other definitions (e.g., 0)0 

Our Modifications of the Original SFE Notion of Micali and Rogaway. 

We contribute a slightly cleaner and more powerful version of the SFE notion 
of [T5J . Their original original notion was the first to advocate and highlight the 
importance of blending together privacy and correctness, a feature inherited by 
all subsequent SFE notions. We actually use a stronger (and more compactly 
expressed) such blending by demanding the equality of the joint distributions 

10 In fact, this requirement is more or less the SFE definition of |5j. 

11 The construction of A' intuitively explains the definition of effective inputs x s and ef- 
fective outputs y s of the simulated execution, as they are exactly the inputs/outputs 
in the run of A' in the ideal model. 

12 For instance, such A' is constrained to run A only once and in a black-box manner. 



84 



Yevgeniy Dodis and Silvio Micali 



of “view, inputs and outputs” in the real and in the simulated executions — 
a suggestion of m. which was followed by other SFE notions as well. We also 
extend the original SFE notion of m to include probabilistic functions. 

Simulator Complexity. Because we are in an information-theoretic setting, we 
certainly do not want to impose any computational restrictions on the adversary. 
However, even though we chose not to do it for simplicity, we could demand 
that the simulator to be efficient (i.e., polynomial-time in the running time of 
the protocol). Indeed, (1) the natural simulator for the general protocol of 
jl] is efficient, and (2) our parallel-reducibility theorems would hold even if we 
required simulators to be efficient. 

3 The Notion of Parallel Reducibility 

First, let us define the semi-ideal model which generalizes the real model with 
the ability to ideally evaluate some functions. More precisely, in addition to 
regular rounds (where each player sends messages to other players), the semi- 
ideal model allows players to have ideal rounds. In such a round, the players can 
simultaneously evaluate several functions g 1 , . . . , g k using a trusted third party. 
More specifically, at the beginning of this round each player gives the fc-tuple of 
his inputs to a trusted party. At the end of the round, each player gets back from 
the trusted party the corresponding fc-tuple of outputs. (Note, these fc-tuples are 
parts of players’ traffic.) 

Our definition of security of a protocol F in the semi-ideal model is the same 
as that of a real model protocol with the following addition: 

• The simulator S has to simulate all the ideal rounds as well, since they are 
part of what the adversary A expects. S has to do this using no special “g- 
oracle”. In other words, given the g-inputs of corrupted players in an ideal 
round, S has to generate the corresponding outputs of corrupted players and 
give them back to A. Also, when A corrupts a player j, S has to produce 
on its own the g- inputs/outputs of player j during all the ideal rounds that 
happened so far (as these are parts of j’s traffic, and therefore j’s view). 

Let F be a SFE protocol for / in the semi-ideal model, and let us fix our at- 
tention on any particular ideal round R that evaluates some functions g 1 , ... ,g k . 
We say that the ideal round R is order-independent if for any sequential order- 
ing 7r of g 1 , . . . , g k , semi-ideal protocol F remains secure if we replace the ideal 
round R with k ideal rounds evaluating a single g 1 at a time in the order given 
by 7 r (we denote this semi-ideal protocol by F n ). 

13 Some other SFE notions (e.g., that of (Q) demand that, for each adversary A, there 
is a simulator Sa that is efficient compared to the running time of A. Note that such 
a requirement is meaningless in our definition. Indeed, our simulator is universal. 
it must reply “properly” and “on-line” to the messages it receives, without any 
knowledge of which adversary might have generated them. 



Parallel Rcducibility for Information-Theoretically Secure Computation 



85 



Let G \, . . . , Gk be SFE protocols for g 1 , . . . , g k . We would like to substitute 
the ideal calls to the g 1 ' s with the corresponding protocols G,;’s and still get a 
secure protocol for /. As we informally argued before, there are many ways to 
substitute (or to interleave ) the Gf s, which is made precise by the following 
definition. 

Definition 4: 

• An interleaving of protocols Gi, . . . , Gk is any schedule I of their execution. 
Namely, a single round of an interleaving may execute in parallel one round 
of one or more of the Gi s with the only restriction that the rounds of each 
Gi are executed in the same order as they are in G,;. 

• A synchronous interleaving of protocols G\, . . . ,Gk with committal rounds 
Gf?i, . . . ,CRk is any interleaving / such that for any 1 < i,£ < k, round 
CRi of Gi strictly precedes round CRt + 1 of G^. We call the place after 
all the “pre-committal” rounds but before all the “post-committal” rounds 
the synchronization point of I. 

• Given an interleaving I of Gi, . . . , Gk, we let F 1 be a protocol obtained 
by substituting the ideal round R with the execution of the protocols 
Gi,...,Gfc in the order specified by I. The committal round of F 1 , its 
effective input and output functions are defined in a straightforward man- 
ner from those of F and G±, . . . ,Gk- More specifically, given the traffic of 
player j in F 1 , we replace all j’s traffic inside Gi (if any) with the effective 
inputs and outputs of player j in Gj, and apply the corresponding effective 
input/output function of F to the resulting traffic. We also remark that 
when we run Gj, we let the auxiliary input of player j to be its view of the 
computation so far. 

The fundamental question addressed by parallel reducibility is 

Assuming F,G i, . . . , Gk are SFE protocols, under which conditions is F 1 a 

SFE protocol as well? 

We highlight two kinds of sufficient conditions: (1) special properties of the 
protocol F making F 1 secure irrespective of I (which will lead us to concurrent 
reducibility), aud (2) restrictions on the interleaving I such that mere security 
of F and Gi, . . . , Gk is enough (which will lead us to synchronous reducibility). 
The following Main Theorem restates Theorem 1 and 2 of the introduction. 

Parallel-Reducibility Theorem: Consider the SFE notion of Definition 3. Let 
F be a semi-ideal SFE protocol for / evaluating g 1 , . . . , g k in an ideal round R\ 
let Gi be a SFE protocol for g l \ and let / be an interleaving of G\, . . . , Gk- Then 
F 1 is a SFE protocol for / if either of the following conditions holds: 

1. (Concurrent-Reducibility Theorem) Round R is order-independent. 

2. (Synchronous-Reducibility Theorem) Interleaving / is synchronous. 

As we argued in the introduction, if we want F 1 to be secure for all I, round R 
must be order-independent. Thus, the modified definition of Micali and Rogaway 
achieves the strongest form of concurrent reducibility. On the other, hand, we 




86 



Yevgeniy Dodis and Silvio Micali 



also argued that if we do not put any extra conditions on F and Gi , . . . , Gk (aside 
from being SFE protocols), not all interleavings I necessarily result in a SFE 
protocol. In fact, we showed in Lemma 2 that under a “too liberal” definition of 
SFE (which includes all SFE definitions other than Micali-Rogaway), it could be 
that no interleaving I will result in a secure protocol F 1 . The stringent definition 
of Micali-Rogaway (in particular, the existence of a committal round) not only 
shows that such an interleaving must exist, but also allows us to define a rich class 
of interleavings which guarantee the security of F 1 : the only thing we require 
is that all the “pre-committal” rounds precede all the “post-committal” rounds. 
In other words, players should first “declare” all their inputs to g l ’s, and only 
then proceed with the “actual computation” of any of the g 1 ' s. The intuition 
behind this restriction is clear: this is exactly what happens in the semi-ideal 
model when the players simultaneously evaluate g 1 , . . . ,g k in F. 

Remark 1: In the parallel-reducibility theorem we do not allow the adversary 
choose the interleaving / adaptively in the process of the computation. This is 
only done for simplicity. For example, synchronous reducibility will hold provided 
the adversary is restricted to select a synchronous interleaving I. And concurrent 
reducibility holds if the semi-ideal protocol F remains secure if we allow the 
semi-ideal adversary adaptively order the ideal calls to g 1 , . . . , g k . 

4 Proof of the Parallel-Reducibility Theorem 

For economy and clarity of presentation, we shall prove both concurrent and 
synchronous reducibility “as together as possible”. Let S be the simulator for 
F, let 7r be the order of committal rounds of the G*’ s in the interleaving I (if 
several committal rounds of G,’s happen in one round, order them arbitrarily), 
and let S) be the simulator for Gi. We need to construct the simulator S 1 for 
F 1 . The proofs for the concurrent and synchronous reducibility are going to be 
very similar, the main differences being the following: 

• Concurrent Reducibility. Since R is an order-independent round of F, the 
protocol F* is also secure, i.e. has a simulator S'*. We will use S * instead 
of S (together with S\ . . . Sk) in constructing S 1 . In particular, S * will 
simulate the ideal call to g l right after the committal round of G,;, which 
is exactly the order given by tt. 

• Synchronous Reducibility. Here we must use S itself. In particular, at some 
point S will have to simulate the simultaneous ideal call to g 1 , ... ,g k , and 
expects to see all the inputs of the corrupted players. Since the interleaving 
I is a synchronous interleaving, it has a synchronization point where all 
the effective inputs of the corrupted players are defined before any of the 
Gi s went on “with the rest of the computation.” It is at this point where 
we let S simulate the ideal call, because we will be able to provide S with 
all the (effective) inputs. 

To simplify matters, we can assume without loss of generality that each round of 
/ executes one round of a single Gi. Indeed, if we can construct a simulator for 




Parallel Reducibility for Information-Theoretically Secure Computation 



87 



any such interleaving, we can do it for any interleaving executing in one round a 
round of several Gf s: arbitrarily split this round into several rounds executing a 
single Gi and use the simulator for this new interleaving to simulate the original 
interleaving ^ 

4.1 The Simulator S 1 

As we will see in Section 14. 21 the actual proof will construct S 1 in k stages, 
that is, will construct k simulators S 1 ,...,S k , where S k will be S 1 . However, 
we present the final S 1 right away because it provides a good intuition of why 
the proof “goes through”. 

For concreteness, we concentrate on the concurrent reducibility case. As one 
can expect, S 1 simply runs S * and uses Si, . . . , Sk to simulate the interleaving 
of Gi, . . . , Gfc. 

• Run S* up to round R (can do it since F 1 and F* are the same up to 
round R ). 

• Tell each Si to corrupt all the players already corrupted by the adversary 
(it is irrelevant what we give to Si as their inputs). 

• Assume we execute some round of protocol Gi in the interleaving I. S 1 
then uses 5* to produce the needed messages from good-to-bad players and 
gives back to Si the response of the adversary. 

• Right after the committal round CRi of Gi has been simulated, use the 
effective input function of Gi and the traffic of the adversary in the simu- 
lation of Gt to determine the effective input w) of each corrupted player j 
to g\ 

• We notice that at this stage S'* is exactly waiting to simulate the ideal 
call to g l for the adversary. So S 1 gives S * the effective inputs as the 
adversary’s inputs to g l , and learns from S * the output Zj of each corrupted 
player j. 

• We notice that after round CRi has been simulated, the simulator Si ex- 
pects to see the outputs of all the corrupted players from the g l -oracle that 
does not exist in our simulation. Instead, we give Si the values z 7 j that we 
just learned from S * . 

• We keep running the above simulation up to the end of the interleaving I. 
We note that at this stage S * has just finished simulating the ideal calls 
to all the g 1 ' s, and waits to keep the simulation of F* starting from round 
R+l. And we just let S* do it intil the end of F 1 (we can do it since F 1 
and F* are the same again from this stage). 

• It remains to describe how S 1 handles the corruption requests of the ad- 
versary. This will depend on where in F 1 the corruption request happens. 
But in any case S 1 tells S* that the adversary asked to corrupt player j 
and learns from S * the view Vj of j in (the simulation of) F* . 

14 Here we use the fact that non-corrupted players execute all the GVs independently 
from each other, so the adversary can only benefit by executing one round of a single 
Gi at a time. 



Yevgeniy Dodis and Silvio Micali 



* If the corruption request happens before round R, simply return Vj 
to the adversary. 

* Otherwise, the adversary expects to see (possibly partial) transcript 
of j inside every Gi, which Vj does not contain. However, Vj still 
contains the supposed inputs Wj of player j to each g 1 . 

* For each i we now ask the simulator Sj to corrupt player j in order to 
learn its view inside Gi. To answer this request, Si needs help from the 
g'-oracle (that does not exist in our simulation), which S 1 provides 
as follows. 

- If the corruption happened before the committal round Gi?,;, Si 
only expects to see the input and the auxiliary input of player j 
to g l . We give him w *• as the actual input and extract from Vj 
the view of j prior to round R as j’s auxiliary input. 

- If the corruption happened after round Gf?i |ij Si also expects 
to see the output Zj of player j in g l . However, in this case such 
an output is also contained in Vj, since right after the (already 
elapsed) round CRi, we have simulated the ideal call to g l in 
F 7r . Thus, z l j is part of j’s view in F n , and as such should be 
included by S n in Vj. 

* We see that in any of the above two cases we can provide S) with the 
information it expects. Therefore, we get back the view Wj of j in Gi 
so far. 

* S 1 now simply combines Vj with Wj , ... , Wj to get the final simu- 
lated view of j, and gives it back to the adversary (we will argue later 
that the security of the Gi s implies that these views “match”). 

We remark that the simulator for synchronous reducibility is very similar. We 
essentially need to replace S v by S and let S simulate the single ideal call to 
g 1 , . . . , g k at the synchronization point of I, when the traffic of the adversary 
will simultaneously give S the (effective) inputs of the corrupted players to all 
the g 1 ' s. 

4.2 Proof Outline 

While we have already constructed the simulator S 1 , in the proof we will need to 
use the security of some particular Gj. Therefore, we will need “to move slowly” 
from the assumed secure protocol F or F v (evaluating all the g 1 , . . . , g k ideally) 
to the protocol F 1 (whose security we need to establish and which runs k real 
protocols Gi, . . . , Gk)- Roughly, we need to “eliminate” one ideal call (to some 
g l ) at a time, by “replacing” it with the protocol G^. Using the security of Gi, we 

15 This includes the case when the corruption happened “after the end” of Gi. We 
treat this corruption as having the adversary corrupt player j at the very end of the 
computation of Gi. This kind of “post-executuion” corruption has caused a lot of 
problems preventing some other SFE notions to satisfy reducibility. In our situation, 
this case presents no special problems due to the universality of the simulator and 
the information-theoretic security. 



Parallel Reducibility for Information-Theoretically Secure Computation 



89 



will then argue that this “substitution” still leaves the resulting protocol a SFE 
protocol for /. To make the above idea more precise, we need some notation 

First, from the interleaving I of Gi, . . . , Gk, we define the “projection inter- 
leaving” 7® (for each i < k). This is the interleaving of the protocols G\,. . . ,Gi 
intermixed with the ideal calls to g l+1 , . . . ,g k . More precisely, we remove from 
I the rounds of all Gi for l > i. For concurrent reducibility, we add the ideal 
calls to g e (for every l > i) right after the place where we previously had the 
committal round of Gi. We notice that this order of the ideal calls is consistent 
with the permutation 7 r. In particular, we will identify the “base” interleaving 
1 0 of g 1 , . . . , g k with the permutation 7 r. For synchronous reducibility, we add 
a single ideal call to g l+1 , . . . , g k right at the synchronization point of /, and 
still call the resulting interleaving F of G\. ... . Gi,g l+1 , . . . , g k a synchronous 
interleaving. Notice that I* -1 is also a “projection” of I®. 

Slightly abusing the notation, we now define (in a straighforward way) “inter- 
mediate” semi-ideal protocols F 1 = F 1 , which essentially replace the ideal calls 
to g 1 , . . . , g l with G\,...,Gi (but leave the ideal calls to g l+1 , ■ ■ . , g k ). We note 
that F k = F 1 and F° is either F®® (the concurrent case) or F (the synchronous 
case). We know by the assumption of the theorem that F° is secure, and need 
to show that F k is secure. Naturally, we show it by induction by showing that 
the security of F® _1 implies that of F®. Not surprisingly, this inductive step will 
follow from the security of Gi. 

To summarize, the only thing we need to establish is the following. Assume 
F® _1 is a SFE protocol for / with the simulator S ® _1 . We need to construct a 
simulator S® for F® such that for all inputs of the players and for any adversary 
A® in F l , we get 

History {A\ F i ) = History{A\ S *) (2) 

We construct S' 1 from S'® -1 and the simulator S t for Gi. Essentially, S® will run 
S'® -1 in F l and use Si (together with S l, ~ 1, s simulation of the ideal call to g l ) to 
answer the adversary inside the Gi . In the “other direction” , given adversary A 1 
in F®, we define the adversary A® -1 in F® _1 . This adversary will run A® in F® -1 , 
and will also use S t (together with the ideal call to <?® in F® -1 ) to interact with 
A® inside Gi. Informally, we will say that “S'® = S® -1 + Si” and “A® -1 = A® + Sj”. 

We observe that the security of F®^ 1 implies that 

History (A®" 1 , F®" 1 ) = History (A®~ \ S®' 1 ) (3) 

which is the same as 

(ViewtA®- 1 ^® -1 ), x^\ y^ 1 } = (View(A i-1 , S®" 1 ), x 5 *" 1 , y^" 1 ) (4) 

Now, since A® -1 essentially runs A® in the background, the view of A®” 1 (against 
both F®^ 1 and S® -1 ) will naturally “contain” the view of A®. We denote these 

16 Below, we will try to use superscripts when talking about the notions related to 
computing /, like F®, S®, A®. And we will use subscripts for the notions related to 
computing some <7®, like Gi, Si, Aj. 



90 



Yevgeniy Dodis and Silvio Micali 



views by View^F*" 1 + 5,) and View(A\ S^ 1 + Si), and let 

History (A\ F l ~ l + Si) = (View(A\F 1 ^ 1 + Si), x F ‘ \ y F ' *} (5) 

History (A\ S^ 1 + Si) = (View (A\S l ~* + Si), x s ' \ y s ‘ 1 ) (6) 

Thus, Equation © (he., assumed security of F l 1 ) implies that 

History (A 1 , F i_1 + S t ) = History {A\ S i_1 + Si) (7) 

However, from the definition of S l = S l ~ 1 + Si and the definitions of the effective 
inputs/outputs of F l based on those of F’ l ~ l , it will immediately follow that the 
latter distribution is syntactically the same as History {A 1 , S' 1 )! That is, 

History (A i , S i_1 + $) = History (A\ S *) (8) 

Therefore, Equation m and Equation © imply that what remains to prove in 
order to show Equation © is that 

History (A 1 , F l ) = History (A\ F i_1 + Si) (9) 

We remark that the “environments” F l and F l_1 + Sj are identical except 
the former runs the actual protocol Gi, while the latter evaluates g l ideally 
and uses the simulator Si to deal with A 1 inside Gi. Not surprisingly, the last 
equality (whose verification is the main technical aspect of the proof) will follow 
from the security of Gi. Namely, assuming that the last equality is false, we will 
construct an adversary A { for Gi such that History (Ai,Gi) History (Ai, Si), 

a contradiction. Roughly, A, will simulate the whole network of players in F l 
(both the adversary A’ and the honest players!), except when executing Gi. 

This completes a brief outline of the proof. Additional details can be found in (Qj . 

4.3 The Definitional Support of Parallel Reducibility 

Since at least synchronous reducibility provably does not hold for other SFE 
definitions, one may wonder what specific features of our modified definition of 
m are “responsible” for parallel reducibility. While such key features can be 
properly appreciated only from the full proof of the parallel-reducibility theorem, 
we can already informally highlight two such features on the basis of the above 
proof outline. 

On-Line Simulatability. The simulator S not only is universal (i.e., indepen- 
dent of the adversary A) and not only interacts with A in a black-box manner, 
but must also interact with A “on-line” . In other words, S runs with A only once: 
each time that S sends a piece of information to A, this piece becomes part of 
A’s final view. This is in contrast with traditional simulators, which would be 
allowed to interact with A arbitrarily many times, to “rewind” A in the middle 
of an execution, and to produce any string they want as A’s entire view. 



Parallel Reducibility for Information-Theoretically Secure Computation 



91 



The ability to generate A’s final view on-line is probably the most crucial 
for achieving any kind of parallel reducibility. For example, an adversary A of 
the composed protocol might base it actions in sub-protocol G\ depending on 
what it sees in sub-protocol G 2 and vice versa. Therefore, the resulting views 
of A inside G\ and G 2 are very inter- dependent. It thus appears crucial that, in 
order to simulate these inter-dependent views, the simulator Si for Gi should be 
capable of extending A’s view inside Gi incrementally “in small pieces” (as it 
happens with A’s view in the real execution) that should never “be taken back” . 
If, instead, we were only guaranteed that the simulator could simulate the entire 
(as opposed to “piece- by-piece” ) view of A in each of the G',’s separately, there 
is no reason to expect that these separate views would be as inter-dependent 
as A can make them in the real model. As demonstrated in Section 14 . 1 1 on the 
other hand, having on-line “one-pass” simulation makes it very easy to define 
the needed on-line simulator for A. 

Committal Rounds. Intuitively, the committal round corresponds to the “syn- 
chronization point” in the ideal function evaluation: when all the players have 
sent their inputs to the trusted party, but have not received their corresponding 
outputs yet. Not surprisingly, the notion of the committal round plays such a cru- 
cial role in synchronous reducibility. In particular, the very existence of “good” 
interleavings (i.e., synchronous interleaving, as stated in Theorem 2) is based on 
the committal rounds. Committal rounds also play a crucial role in Corollary 
2. Indeed, the greedy concurrent execution of all the “pre-committal” rounds of 
any number of sub- protocols Gi, . . . , Gk (which takes at most max(I?i, . . . , Rk ) 
rounds), followed by the greedy concurrent execution of all the “post-committal” 
rounds of Gi, . . . , Gk (which also takes at most max (/A , . . . , R k ) rounds), yields 
a synchronous interleaving of Gi, . . . , Gk with the claimed number of rounds. 

The Price of Parallel Reducibility. The definitional support of parallel re- 
ducibility “comes at a price” : it rules out some reasonable protocols from being 
called secure. For example, having Pi simply send X\ to P 2 is not a secure pro- 
tocol (in the sense of m and Definition 3) for the function g 1 ( x\ 1 A, A, . . . , A) = 
(x±,xi, A, . . . , A) of Example 2. Indeed, assume the adversary A corrupts player 
P 2 before the protocol starts and does not corrupt anyone else later on. Then 
A will learn Xi in the real execution. Therefore, for the simulator S to match 
the view of A, it must also send X\ to A in round 1. For doing so, S must learn 
Xi from its oracle before round 1. Since A does not corrupt player 1, this can 
only happen when S learns the output of corrupted player P 2 (which is indeed 
xi) after the committal round. Unfortunately, the committal round is round 1 
itself, because only then does Pi manifest its input x\ via its own message traffic. 
Thus, S will learn x\ only after round 1, which is too late. 

In sum, a reasonable protocol for function g 1 is excluded by the Definition 
3 from being secure, but this “price” has a reason: Example 2 proves that such 
(individually) reasonable protocol is not synchronously reducible. 

Parallel Reducibility in Other Settings. We have examined the concept of 
parallel reducibility in the information-theoretic setting. In particular, our proof 



92 



Yevgeniy Dodis and Silvio Micali 



of the parallel-reducibility theorem strongly uses information-theoretic security. 

It is a very interesting open question to examine parallel reducibility in the 

statistical and computational settings. 

References 

1. D. Beaver, Foundations of Secure Interactive Computing. Proc. of CRYPTO’91, 
pp. 377-391, 1991. 

2. D. Beaver, Secure multi-party protocols and zero-knowledge proof systems tolerat- 
ing a faulty majority. Journal of Cryptology , 4(2), pp. 75-122, 1991. 

3. D. Beaver and S. Goldwasser, Multi-party computation with faulty majority, 
Proc. of the 30th FOCS, pp. 468-473, 1989. 

4. M. Ben-Or, S. Goldwasser and A. Wigderson, Completeness Theorems for Non- 
Cryptographic Fault-Tolerant Distributed Computation, Proc. of the 20th STOC, 
pp. 1- 10, 1998. 

5. R. Canetti, Security and Composition of Multi-party Cryptographic Protocols. 
Journal of Cryptology , 13(l):143-202. 

6. R. Canetti, Studies in Secure Multi-party Computation and Application, Ph.D. 
Thesis, Weizmann Institute, Israel, 1995. 

7. D. Chaum, C. Crepeau and I. Damgard, Multiparty unconditionally secure proto- 
cols, Proc. of the 20th STOC, pp. 11 19, 1988. 

8. R. Cramer, U. Maurer, and I. Damgard, General secure multiparty computation 
from any linear secret-sharing scheme, Proc. EUROCRYPT’OO, pp. 316-334, 2000. 

9. Y. Dodis and S. Micali. Parallel Reducibility for Information-Theoretically Secure 
Computation. Manuscript in progress. 

10. P. Feldman and S. Micali, Optimal algorithms for Byzantine agreement, SIAM J. 
on Computing, 26(4):873-933, 1997. 

11. S. Goldwasser and L. Levin, Fair computation of general functions in presence of 
immoral majority, Proc. CRYPTO ’90, pp. 75-84, 1990. 

12. O. Goldreich, Secure Multi-Party Computation, First draft available at 
http : //theory . lcs .mit . edu/'oded. 

13. O. Goldreich, S. Micali and A. Wigderson, How to play any mental game, Proc. 
of the 19th STOC, pp. 218-229, 1987. 

14. K. Kilian, E. Kushilevitz, S. Micali and R. Ostrovsky, Reducibility and Complete- 
ness in Private Computations, To appear in SIAM J. on Computing, preliminary 
versions in Proc. of the 23rd STOC, 1991 by Kilian and in Proc. of the 35th FOCS, 
1994 by Kushilevitz, Micali and Ostrovsky. 

15. S. Micali and P. Rogaway, Secure computation, Proc. CRYPTO ’91, pp. 392-404, 
1991. Also in Workshop On Multi-Party Secure Computation, Weizmann Institute, 
Israel, 1998. 

16. T. Rabin and M. Ben-Or, Verifiable Secret Sharing and Multi-party Protocols with 
Honest Majority, Proc. of 21st STOC, pp. 75-83, 1989. 

17. A. Yao, Protocols for secure computation, Proc. of the 23rd FOCS, pp. 160-164, 
1982. 




Optimistic Fair Secure Computation 

(Extended Abstract) 



Christian Cachin and Jan Camenisch 



IBM Research, Zurich Research Laboratory 
CH-8803 Riischlikon, Switzerland 
{cca, jca}@zurich. ibm. com 



Abstract. We present an efficient and fair protocol for secure two-party 
computation in the optimistic model, where a partially trusted third 
party T is available, but not involved in normal protocol executions. T 
is needed only if communication is disrupted or if one of the two parties 
misbehaves. The protocol guarantees that although one party may termi- 
nate the protocol at any time, the computation remains fair for the other 
party. Communication is over an asynchronous network. All our proto- 
cols are based on efficient proofs of knowledge and involve no general 
zero-knowledge tools. As intermediate steps we describe efficient verifi- 
able oblivious transfer and verifiable secure function evaluation protocols, 
whose security is proved under the decisional Diffie-Hellman assumption. 



1 Introduction 

Secure computation between distrusting parties is a fundamental problem in 
cryptology. Suppose two parties A with input x and B with input y wish to 
jointly compute a function f(x, y ) of their inputs without revealing anything 
else than the result. It is known that any function can be computed securely and 
with only few rounds of interaction under cryptographic assumptions mm m 
However, if the computation should also be fair and give a guarantee that 
A learns f{x, y) if and only if B learns /(x,y), two-party protocols inevitably 
come at the cost of many rounds of interaction m- The reason is that a mali- 
cious party could always quit the protocol early, e.g., as soon as it obtains the 
information it is interested in, and the other party may not get any output at 
all. The only way to get around this are several rounds of interaction, in which 
the result is revealed verifiably and gradually bit-by-bit so that a cheating party 
has an unfair advantage of at most one bit 

This work presents an efficient protocol for fair secure computation using a 
third party T to ensure fairness, which is not actively involved if A and B are 
honest and messages are delivered without errors. This approach has been pro- 
posed for fair exchange (e.g., of digital signatures) by Asokan, Schunter, Shoup, 
and Waidner m and is known as the optimistic model. Its main benefits are a 
small, constant number of rounds of interaction between A and B , independent 
of the security parameter, and the minimal involvement of T. Our secure com- 
putation protocol maintains the privacy of one party’s inputs even if T should 

M. Bellare (Ed.): CRYPTO 2000, LNCS 1880, pp. flO- liTT! 2000. 

(c) Springer- Verlag Berlin Heidelberg 2000 



94 



Christian Cachin and Jan Camenisch 



collude with the other party (unlike [2j ) - We achieve this by combining Yao’s 
technique for securely evaluating a circuit with efficient zero-knowledge proofs. 

We consider actually a more general model of fair secure computation, in 
which there are two functions, /a{x, V ) and /b(x, y), and A should learn /a(x, y) 
if and only if B learns /b(x,?/), evaluated on the same inputs. 

A key feature of our protocol is that it works in an asynchronous environment 
such as the Internet, where messages between A and B might be lost or reordered. 

Our protocol is efficient in the sense that its complexity is directly propor- 
tional to the size of the circuit computing / and does not involve large ini- 
tial costs. All our zero-knowledge proofs and verifiable primitives are based on 
proofs of knowledge about discrete logarithms, without resorting to expensive 
general zero-knowledge proof techniques involving NP-reductions. Our solution 
is of practical relevance for cases where A and B want to compute / with a 
small circuit, for example, to evaluate the predicate x a > xb (the “millionaire’s 
problem” 133), which has applications to on-line bidding and auctions. 

Baum and Waidner j3j and Micali m have observed before that fair two- 
party computation is feasible in the optimistic model. They used general tools 
and did not focus on efficient protocols for small circuits, however. 



1.1 Overview 

We build the fair secure computation protocol in several steps and use interme- 
diate concepts and protocols that may be of independent interest. 

Recall Yao’s approach to secure function evaluation m ■ The circuit con- 
structor A scrambles the bits on the wires of the circuit by replacing each with 
a random token, encrypting the truth tables of all gates accordingly such that 
two tokens together decrypt the corresponding token on the outgoing wire, and 
providing the cleartext interpretation for the tokens appearing in the circuit out- 
put. It sends the encrypted circuit to B (the circuit evaluator), who obtains the 
tokens corresponding to his input bits using one-out-of-two oblivious transfer; 
this ensures that he learns nothing about other tokens. B is then able to evalu- 
ate the circuit and to compute the output on his own. Note that secure function 
evaluation is one-sided because only B learns the output. 

Our fair secure computation protocol, presented in Section 0 consists of 
two intertwined executions of verifiable secure function evaluation (VFE) on 
committed inputs between A and B , plus recovery involving T. Verifiable secure 
function evaluation is a protocol (which we define in Section EJ extending Yao’s 
construction that computes a given function on committed inputs of A and B. 

In order to obtain the initial tokens, A and B use a verifiable oblivious transfer 
(VOT) protocol that performs a one-out-of-two oblivious transfer on committed 
values (as defined in Section 0). 

However, this solution is not sufficient for fair secure computation in the 
optimistic model. We need to escrow some information in the VFE construction 
such that a third party T can open the result of the computation in case the 
sender refuses to continue or some of its messages are lost. (The escrow protocol 
is defined and described in Section l.'i.-ll l 



Optimistic Fair Secure Computation 



95 



These protocols are based on proofs of knowledge about discrete logarithms 
and verifiable encryption. Our notation for proofs of knowledge is introduced in 
Section and allows to describe modular composition of proofs. For verifiable 
encryption we use the methods of Camenisch and Damgard m as described 
in Section FOI Our model for optimistic fair secure two-party computation is 
formalized in Section Q 



1.2 Related Work 

Beaver, Micali, and Rogaway [6( give a constant-round cryptographic protocol 
for multi-party computation. Its specialization to three parties is related to our 
three-party model in that it guarantees fairness against one malicious party, but 
T needs to be always involved. 

Fair protocols for two-party computation (and extensions to multiple parties) 
have previously been investigated by Chaum, Damgard, and van cle Graaf ra. 
by Beaver and Goldwasser (Sj , and by Goldwasser and Levin 123 - They combine 
oblivious circuit evaluation with gradual release techniques to obtain fairness, 
but without focus on particularly efficient protocols. 

Feige, Kilian, and Naor PI study an extension of the multi-party secure 
computation models using a third party T, which receives a single message, does 
some computation, and outputs the function value, but does not learn anything 
else about the inputs. Under cryptographic assumptions, every polynomial-time 
computable function can be computed efficiently (i.e. , in polynomial time) in 
their model. In our model, T is not involved in regular computations and only 
used in case some party misbehaves. 



2 Optimistic Fair Secure Two-Party Computation 

2.1 Notation 

The security parameter is denoted by k. The random choice of an element x from 
a set X with uniform distribution is denoted by x X . The concatenation of 
strings is denoted by ||. 

The statistical difference between two probability distributions Px and Py is 
denoted by \Px — Py\- A quantity ej~ is called negligible (as a function of k) if for 
all c > 0 there exists a constant ko such that < A f or a n fc > fc 0 . The formal 
security notion is defined in terms of indistinguishability of probability ensembles 
indexed by k, but extension from a single random variable to an ensemble is 
assumed implicitly. Two probability ensembles X = {A*,} and Y = { Y *,} are 
called computationally indistinguishable (written X ss Y) if for every algorithm 
D that runs in probabilistic polynomial time (in fc), the quantity |Prob[D(Afc) = 
1] — Prob[D(Ffc) = 1] | is negligible. 



96 



Christian Cachin and Jan Camenisch 



2.2 Definition 

The parties A, B , and T are probabilistic interactive Turing Machines (PITM) 
that communicate via secure channels in an asynchronous environment. Let / : 
Xa x Xb — t 3A x Jb be a deterministic function with two inputs and two 
outputs that A and B want to evaluate, possibly using T’s help. Suppose / can 
be evaluated by a polynomial-sized circuit in k (the extension to probabilistic 
functions is straightforward and omitted). Let : Xa x Xb —X 3At denote the 
restriction of / to A’s output and let fs : Xa x Xb — ► denote the restriction 

of / to P’s output. A has private input x a and should output / a{xa,xb ) and 
B has private input Xb and should output /b^Aj^b)- 

These requirements are expressed formally in terms of the simulatability 
paradigm for general secure multi-party computation although we 

consider only three parties. In this paradigm, the requirements on a protocol 
are expressed in terms of an ideal process, where the parties have access to a 
universally trusted device that performs the actual computation. A protocol is 
considered secure if all an adversary may do in the real world can also happen 
in the ideal process; formally, for every real-world adversary there must exist 
some adversary in the ideal process such that the real protocol execution is 
indistinguishable from execution of the ideal process. 

First, one has to define the real-world model and the ideal process. We assume 
static corruption throughout this work. 

The real-world model. We consider an asynchronous three-party protocol as a 
collection (A, P, T ) of PITM. All parties are initialized with the public inputs of 
the protocol that includes the function /, T’s public key yx, and possibly further 
parameters of the encryption schemes. The private inputs are xa for A, xb for 
B, and zt for T. 

There is no global clock and the parties are linked by secure authenticated 
channels in the following sense. All communication is driven by the adversary in 
form of a scheduler S. There exists a global set M of undelivered messages tagged 
with ( S , R) that denote sender S and receiver R. A4 is initially empty. At each 
step, S chooses a party P , selects some message M £ M with receiver P, and 
activates P with M on its communication input tape. If A4 is empty, P may also 
be activated with empty input. P performs some computation and eventually 
writes a message (P, r) to its communication output tape. The message r is then 
added to M, tagged with (P, R). S repeats this step arbitrarily often and is not 
allowed to terminate as long as M contains messages with receiver or sender 
equal to T . (In other words, S must eventually deliver all messages between T 
and any other party P £ {A,P}, but may suppress messages between A and 
B.) Honest parties eventually generate an output as prescribed by the protocol 
and terminate by raising a corresponding flag; they will not process any more 
messages. 

An adversary in the real world is an algorithm C that controls S and at 
most two of the parties A, P, and T. Parties controlled by the adversary are 
called corrupt; we assume their output is empty. The adversary itself outputs 



Optimistic Fair Secure Computation 



97 



an arbitrary function of its view, which consists of the information observed by 
the scheduler and all messages written to and read from communication tapes 
of corrupted parties. W.l.o.g. we assume the adversary is deterministic. For a 
fixed adversary C and inputs xa and xb, the joint output of A, B , T, and C, 
denoted by Oabtc( x a, x b), is a random variable induced by the internal coins 
of the honest parties. 

The ideal process. The ideal process consists of algorithms A, B , and T, and 
uses on a universally trusted party U to specify all desired properties of the real 
protocol. U is parametrized by f. A has input xa, B has input Xb, and T has 
no input. The operation is as follows. A sends a message in Xa U {_L} to U, and 
B sends a message in Xb U {_L} to U, and T sends two distinct messages to U 
in arbitrary order, one containing a value bA £ 3^4 U {o,_L} and the other one 
containing a value b B £ ys U {o, _L}. Messages are delivered instantly. 

U is a device that computes two messages, rriA and mj, for A and B , respec- 
tively. Each message is generated as soon as all necessary inputs have arrived. 
The message for A depends on xa, x b , and 6a, and is given by 

! f a{x At x b) if 6 a = o and xa ^ 1 and 
T if 6 a = o, but xa = -L or xb = 1 

6a if 6 a yf o. 

ms is computed analogously from xa,Xb, and bs- 

Honest parties in the ideal process operate as follows. A and B just send 
their input to U and T sends 6 a = o and bs = o. A and B then wait for an 
answer from U, output the received value, and terminate. T halts as soon as it 
has sent two messages to U and outputs nothing. 

The ideal-process adversary is an algorithm C that controls the behavior of 
the corrupted parties in the ideal process. It sees the inputs of a corrupted party 
and may substitute them by an arbitrary value before sending the specified mes- 
sage to U. The adversary sees also U’s answer to a corrupted party. Corrupted 
parties output nothing, but the adversary outputs an arbitrary function of all 
information gathered in the protocol. 

For a fixed (deterministic) adversary C and inputs Xa and xb, the output of 
the ideal process is the concatenation of all outputs, denoted by Oabtc( x At x b)- 
In contrast to most of the literature using the simulation paradigm for secure 
computation, each party (including U) sends a message as soon as it is ready in 
this asynchronous specification. This means that an adversary may also delay 
the message of a corrupted party until it has obtained the output of another 
corrupted party. 

Simulatability. We are now ready to state the definition of fair secure computa- 
tion. Seemingly separate requirements on a protocol such as correctness, privacy, 
and fairness are expressed via the simulatability by an ideal process. Recall that 
an adversary in the real world is an algorithm C that controls S and at most 
two of the three parties and that C s output is arbitrary. 




98 



Christian Cachin and Jan Camenisch 



Definition 1. Let f : XaxXb — ► be a function that can be evaluated by 

a polynomial- sized circuit. We say that a protocol (A,B,T) performs fair secure 
computation if for every real-world adversary C , there exists an adversary C 
in the ideal process such that for all xa G Xa and for all xb G ft’s, the joint 
distribution of all outputs of the ideal process is computationally indistinguishable 
from the outputs in the real world, i.e., 

Oabtc(xa,%b) ~ Oabtc( x a,x b ). 

A fair secure computation protocol is called optimistic if whenever all parties 
follow the protocol and messages between them are delivered instantly, then T 
does not receive or send any message. 

Remarks on the above definition. 

1. By the design of the ideal process, fairness is only guaranteed if T is not 
colluding with A or B. This is unavoidable because a cheating participant of 
a two-party protocol may always refuse to send the last message. Protocols 
to defend against such misbehavior require a number of rounds of interaction 
that is inverse proportional to the cheating probability mm. 

2. Conversely, if T is corrupt, then the computation may be unfair and an 
honest party, say A, may not receive its output. Moreover, B and T may 
still decide to block A after seeing fs and even cause A to output a value 
that has nothing to do with . This occurs in the ideal process if T colluding 
with B delays sending bA until it has observed B' s output and then decides 
to send bA ^ o. But notice that T and B together do not learn more about 
Alice’s input than what follows from fg- 

3. A stronger requirement would be that T is only permitted to send o or 
_L, but not a substitute for A or B’s output. The current model reflects a 
corresponding property of our protocol because T’s actions in the resolve 
protocols are not verifiable. However, by making all proofs non-interactive 
and resorting to the random oracle model, our protocol satisfies also this 
stronger requirement. 

4. Our model applies only to an isolated three-party case (as is customary in 
the literature on secure computation). A multi-user model that allows for 
concurrent execution of multiple protocol instances can be constructed by 
combining our model with techniques proposed by Asokan et al. 0 . Basically, 
a unique transaction identifier has to be added to all messages and techniques 
for concurrent composition of zero-knowledge proofs have to be used ESJ. 

3 Proofs of Knowledge and Verifiable Encryption 

This section introduces our notation for proofs of knowledge about discrete log- 
arithms, the notion for verifiable encryption, and our escrow scheme. It starts 
with a description of the underlying encryption schemes. 



Optimistic Fair Secure Computation 



99 



3.1 Preliminaries 

A semantically secure public-key cryptosystem (Ek,Dk) with security parameter 
k consists of a (public) probabilistic encryption algorithm Ek(-) and a (secret) 
decryption algorithm £)/-(■). The encryption algorithm : A4 — > C takes a mes- 
sage m G M. and outputs a ciphertext c; the corresponding decryption algorithm 
Dk : C — > A4 computes m from c. 

Semantic security asserts that an eavesdropper cannot get partial informa- 
tion about the plaintext from a ciphertext m- More precisely, ( Ek,Dk ) is a 
semantically secure public-key system if for two arbitrary messages mo and mi, 
the random variables representing the two encryptions Ek(mo) and Ek(mi) are 
computationally indistinguishable . 

The protocols in this paper are mostly based on ElGamal encryption E2j. 
Let G be a group of large prime order q (polynomial in k) and let g G G be 
a randomly chosen generator. An ElGamal public key is ( g , y) for y = g x with 
a randomly chosen x G Z 9 and the corresponding secret key is x. ElGamal 
encryption of a message m G G proceeds as follows: 

Algorithm ElGamal (g,y)(m) 

1. choose a random reZ,; 

2. compute and output (c, c') = ( g r ,my r ). 

The decryption algorithm computes m = c'/c® and outputs m. 

Consider the two distributions over G 4 with D 0 = (g, g x , g v , g z ) for x, y, z Gr 
7L q and D\ = (g, g x , g v , g xy ) for x,y Gr Z g . The Decisional Diffie- Heilman 
(DDH) assumption is that there exists no probabilistic polynomial-time (PPT) 
algorithm that distinguishes with non-negligible probability between D and R. 
By a random self-reduction property jSEH, the DDH assumption is equivalent 
to assuming that there is no PPT algorithm that decides with high probability 
for all tuples (<?, g x , g y , g z ) if z = xy mod q. It is well known that ElGamal 
encryption is semantically secure under the DDH assumption. 

Using a hybrid argument, one can show that also the two distributions 

Mo = (g , g Xl , . . . , g Xn , g Vl , . . . , g Vm , g Zl , • • • , g Znm ) 



with Xi,yj, Zij Gr Z q and 



Mi = (g, g Xl , . ■ • , g Xn , g 



y i 



n Vrn n xiyi 
•> y ^ i/ 5 



r,Xn Vm \ 



with Xi, yj Gr Ti q for i = 1 , ,n and j = 1 , ,m are computationally indis- 
tinguishable under the DDH Assumption. The argument is essentially the same 
as the one by Naor and Reingold m- 



3.2 Proofs of Knowledge about Discrete Logarithms 

We introduce a notation for describing proofs of knowledge about discrete log- 
arithms. Such three-move proofs of knowledge can be composed efficiently in 



100 



Christian Cachin and Jan Camenisch 



parallel and in a modular way, as shown by Cramer, Damgard, and Schoemak- 
ers m . The notation was first used by Camenisch and Stadler m and subsumes 
several discrete logarithm-based proof techniques (see the references therein). 
Our extension allows to describe modular composition. 

Let G be a group of large prime order q and let g, g\ £ G be generators such 
that logger is not known (e.g. provided by a trusted dealer). 

The simplest example of such a proof is the proof of knowledge of a discrete 
logarithm of y £ G m- For reference, we recall some of properties of this 
protocol between a prover P and verifier V. Public inputs are (g, y) and P’s 
private input is x such that y = g x . First, P computes a commitment t = g r with 
rSijZ q and sends it to V . Then V sends to P a random challenge c£ {0, l} k , 
to which P responds with s = r — cx mod q , where k' is a security parameter. 
V accepts if and only if t = g s y c . We denote this protocol by 

PK log(g, y) 

U : y = g^}- 

The witness(es) are conventionally written in Greek letters and only known to 
the prover while all other parameters are known to the verifier as well. 

Unlike the simplifying description above, we assume that all proofs here are 
actually three-move concurrent zero-knowledge protocols, i.e., carried out using 
trapdoor commitments for the first message t. Such trapdoor commitments may 
be constructed, for example, using an additional generator h € G, which is chosen 
at random by a trusted dealer or is determined in a once-and-for-all setup phase; 
the zero-knowledge simulator can extract the trapdoor log g h from this. It will 
allow the simulator to open a given commitment t in an arbitrary way upon 
receiving a challenge c because it can compute suitable s from the trapdoor, 
without having to rewind the verifier (for more details see, e.g., |2'0|); this allows 
also arbitrarily large challenges (i.e., k! = 0(k)). 

This basic protocol can be extended in many ways. For example, 

PK rep( 5 , ff i,y) 

{tp-y = g^9\ p } 

denotes a proof of knowledge of a representation of y with respect to g and g\. 

Proofs written in this notation may be composed in a modular way. It is 
known that this is sound for monotone boolean expressions from the results of 
Cramer et al. m- For instance, the prover can convince the verifier that he 
knows the representation of at least one of x and y w.r.t. bases g and g\ with 

PK or{g 1 gi,x,y) 

{rep( 3 , 5 i,x) V rep {g,gi,y)}. 

It is also possible to prove that two discrete logarithms (or parts of repre- 
sentations) are equal |U| . We give an example of this technique. It shows that 



Optimistic Fair Secure Computation 101 



a commitment z contains the product modulo q of the two values committed to 
in x and y: 



PK mul(5,5i,a;,y,z) 

{a, f3,j ,8,e:x = g a g 1 ' 1 A y = g 0 gi A z = y a gi e }. 

This works also for z = g a g \ r with r = 0 and arbitrary agZ g , which is needed 
in Section 0 

When such proofs are combined, some optimizations are often possible, just 
like in assembly code that is produced by a compiler from a high-level language. 
An example that occurs in Section [3 is that multiple parallel commitments to 
the same value are introduced, where only one of them is needed. 



3.3 Verifiable Encryption 

Verifiable encryption is an important building block here and has been used for 
publicly verifiable secret sharing EH, key escrow, and optimistic fair exchange 0. 
It is a two-party protocol between a prover and encryptor P and a verifier and 
receiver V. Their common inputs are a public encryption key E, a public value v, 
and a binary relation 1Z on bit strings. As a result of the protocol, V either rejects 
or obtains the encryption c of some value s under E such that (s, v) G 7Z. For 
instance, 1Z could be the relation ( s,g s ) C 7L q x G. The protocol should ensure 
that V accepts an encryption of an invalid s only with negligible probability and 
that V learns nothing beyond the fact that the encryption contains some s with 
(s, v) E 1Z. The encryption key E typically belongs to a third party, which is not 
involved in the protocol at all. 

Generalizing the protocol of Asokan et al. 0 , Camenisch and Damgard m 
provide a verifiable encryption scheme for all relations 1Z that have an honest- 
verifier zero-knowledge three-move proof of knowledge where the second message 
is a random challenge and the witness can be computed from two transcripts 
with the same first message but different challenges. This includes most known 
proofs of knowledge, and in particular, all proofs about discrete logarithms from 
the previous section. The verifiable encryption scheme is itself a three-move proof 
of knowledge of the encrypted witness s and is zero-knowledge if a semantically 
secure encryption scheme is used mu- 

We use a similar notation as above and denote by, e.g., 

VE (EIGamal, ( g , y), tag ){ £ : v = g^} 

the verifiable encryption protocol for the EIGamal scheme, whereby log s v along 
with tag is encrypted under public key y. The tag , an arbitrary bit string, is 
needed for the composition of such protocols, as we will see later. The ciphertext 
c is represented by (a function of) the verifier’s transcript of this protocol, which 
we abbreviate by writing c •<— VE (EIGamal, ( g , y), tag){ £ : v = g ^}, and is stored 
by V. 



102 



Christian Cachin and Jan Camenisch 



Together with the corresponding secret key ( x = log s y in this example), tran- 
script c contains enough information to decrypt the witness efficiently. We as- 
sume that the corresponding decryption algorithm VD(EIGamal, (g,x),c, string ) 
is subject to the condition that a tag matching string is encrypted in c; VD 
outputs the witness in this case and _L in all other cases. 

We refer to Camenisch and Damgard m for further details of the verifiable 
encryption scheme. 

3.4 Escrow Schemes 

A (verifiable) escrow scheme 0 is a protocol involving three parties: a sender S, 
a receiver R, and a third party T, whose public key yx of an encryption scheme is 
known to S and R. We require that T’s encryption scheme is semantically secure 
against adaptive chosen-ciphertext attacks m ■ S has a bit string a as private 
input. T’s private input is Zt, the secret key corresponding to yx- Furthermore, 
there is a public input string tag for S and R that controls the condition under 
which T may resolve the escrow of a. 

The operation of an escrow scheme consists of two phases. In the first phase, 
only S and R interact. If R accepts Phase I, then he is guaranteed to receive 
a in Phase II as long as either S or T is honest. That is, R either receives a 
single message from S that will allow him to compute a (and hence T needs not 
participate in the protocol at all) or, if this does not happen, R sends T a single 
request containing tag , to which T will reply with a. 

Several escrow schemes with different tags may be run concurrently among 
the same participants. 

The security requirements of the escrow scheme are that a malicious R cannot 
gain any information on a before Phase II. More precisely, for all bit strings a' , 
a", and tag, suppose S runs Phase I of the escrow scheme with R* on tag and 
a € {a', a"} chosen at random. Subsequently R* interacts arbitrarily with T 
subject only to the condition that it never submits a request containing tag to 
T; the escrow scheme is secure if such an R* cannot distinguish a = a' from 
a = a" with more than negligible probability. 

A secure escrow scheme can be implemented easily using verifiable encryption 
and a cryptosystem for T that is semantically secure against chosen-ciphertext 
attacks. We use the Cramer-Shoup cryptosystem EE denoted by CS, with public 
key yx and private key Zx- 

In Phase I, S chooses u Gr Z*, computes A = g a g\ u , and sends A to R. S 
and R also carry out PK rep(g, g\, A) and 

out <r- VE (CS, y T , tag) {a, /3 : A = g a g 1 p }. 

In Phase II, S sends a and u to R and R verifies that A = g a gi u . If this check 
fails or if R did not receive a message from S, then R sends to T the message 
(out, tag). T runs VD(CS, zt , out, tag) and sends the output to R. In either case, 
R learns a. 

It is easy to see that this is a secure escrow scheme using the security of CS 
and the properties of PK and VE. 



Optimistic Fair Secure Computation 103 



4 Verifiable Oblivious Transfer 

This section describes a variant of oblivious transfer that is needed for our fair 
secure computation protocol. Oblivious transfer, proposed by Rabin 133 and by 
Even, Goldreich, and Lempel Eza> is a fundamental primitive for multi-party 
computation. In its basic incarnation as a one-out-of-two oblivious transfer, a 
sender S has two input bits bo and b\, and a receiver R has a bit c. As a result 
of the protocol R should obtain b c , but should not learn anything about & c ® i 
whereas S should not get any information about c. 

A verifiable oblivious transfer (VOT) is an oblivious transfer on committed 
values, where the sender S has made two commitments Aq and Aj, containing 
two values ao and ai, and R has made a commitment C , containing a bit c. 
The requirements are that R outputs a c without learning anything about a c ®i 
and that S does not learn anything about c. (A committed oblivious transfer 
as described by Crepeau, van de Graaf, and Tapp PJ is a similar protocol 
that performs an oblivious transfer of commitments such that R ends up being 
committed to a c ; Cramer and Damgard PI give an efficient implementation for 
this.) 

Suppose the commitments Aq,Ai, and C are of the form B = g b g f for a 
randomly chosen rgZ, and committed value b £ % q . In this section, we assume 
that corresponding commitments are computed correctly from the inputs ao, a±, 
and c. In other words, a commitment oracle receives ao and ai from S, chooses 
random to,ti € Z q , places A 0 = g a °gi° and A\ = g^gi 1 in the public input, 
and returns to and t\ to S privately; similarly, it receives c from R, computes 
C = g c g i r using a random r € Z q , places C in the public input and gives r 
privately to R. This commitment oracle is an artificial construction for using 
VOT as part of a larger protocol. Alternatively, one might assume that S and 
R generated and exchanged the commitments beforehand, together with a proof 
that they are constructed correctly; this is indeed how VOT is used in Section 0 
below. 

The following protocol is based on verifiable encryption and the oblivious 
transfer constructions by Even et al. fJSJ and Bellare and Micali |7j. Our no- 
tational convention for such protocols is as follows. All inputs are written as 
argument lists in parentheses, grouped by the receiving party; the first list con- 
tains public inputs, the second list private inputs of the first party (S'), the third 
list private inputs of the second party (f?), and so on. 

Protocol VOT(g, gi, A 0 , A- l ,C)(a 0 , ai, t 0 , *i)(c, r) 

1. S as encryptor and R as receiver engage in two verifiable encryption protocols 

out 0 ^~ VE (EIGamal,(gi,C),0){a,/3 : A 0 = g a gi p } 
out i <- VE (EIGamal, (gi, ^), 0){a, /3 :A 1 = g a gi >3 }. 

2. If R accepts both of the above protocols, he computes 

a c = VD(EIGamal, (gi, r), out c , 0). 



104 



Christian Cachin and Jan Camenisch 



The above protocol uses R ' s commitment C directly as encryption public 
key and saves one round compared to the direct adoption of the Bellare-Micali 
scheme. The way the commitment C is constructed from c ensures that R knows 
log gi {C/g c ) = r needed to decrypt out c , but not the discrete logarithm needed 
to decipher the other encryption. (The proof of the following lemma is omitted 
from this extended abstract.) 

Lemma 1. Under the DDH assumption, Protocol VOT is a secure verifiable 
oblivious transfer. 

5 Verifiable Secure Function Evaluation 

Verifiable secure function evaluation (VFE) is an interactive protocol between a 
circuit constructor A and an evaluator B. Both parties have as common public 
input values Ca and Cb , representing commitments to their inputs. A has two 
private inputs strings: her input string xa and a string va allowing her to open 
Ca; likewise, B has two private input strings, Xb and rs- Their goal is to evaluate 
/b on the committed inputs such that B learns /b^a, £b)- 

We assume here, as already in Section El that all commitments are computed 
correctly from the inputs, which in turn may have been chosen in an arbitrary 
way. More precisely, assume A gives x a to a commitment oracle, which com- 
putes Ca according to the specified commitment scheme using the random bits 
xa and returns Ca and va (similarly for B). These are the corresponding com- 
mitments used below. (Alternatively, one might assume that A and B generated 
and exchanged correct commitments beforehand.) 

Given concrete implementations of a parties A and B , a protocol execution 
between A and B with inputs Ca,Cb,xa,xb,ta, and rs defines naturally the 
views Va and Vb of A and B , respectively, which are families of random variables 
determined by the public input, A’s private input, B’s private input, and the 
internal random coins. Moreover, if B is deterministic then Vb is a random 
variable depending only on A’s coin flips. 

Definition 2. A verifiable secure function evaluation protocol for a function 
/b : Xa x Xb —> Vb between A and B satisfies the following requirements: 

Correctness: If A and B are honest and follow the protocol, then Mxa G 
X a ,Mxb G Xb and corresponding commitments, B outputs fB{xA,x B ) ex- 
cept. with negligible probability. 

Soundness: VA* and V x* A G Xa and corresponding commitments C\, if the 
protocol starts with public inputs C\,Cb, then, except with negligible proba- 
bility, B outputs /b(^ai x b) ° r A. 

Privacy: We consider two cases, corresponding to cheating B and cheating A. 
1. Privacy for A: MB* there exists a probabilistic polynomial-time algorithm 
(PPT) SIMb * such that Mxa G Xa and Mx B G Xb with corresponding 
commitments Ca,C* b , 

V B - (C a , C% , x A , r A , x * B , r* B ) w SIM B - {C A , C * B , f B (x A , x * B ) , x* B ) . 



Optimistic Fair Secure Computation 105 



2. Privacy for B: VA* there exists a PPT algorithm SIM a* such that\/x B £ 
X B andVx* A € X A with corresponding commitments C A ,C B , 

Fa* (Cl, C B , x* a , r* A , x B , r B ) » SIM A . (C* A , C B ,x* A ). 

The soundness condition binds A to her committed inputs. The corresponding 
binding for B is part of the privacy condition for A , which ensures that B is 
committed to the value xb at which he evaluates fs before the protocol starts. 
This is needed to use the one-sided concept of VFE as a building block for 
optimistic fair secure computation below. 

5.1 Overview of the Encrypted Circuit Construction 

We give a brief description of our protocol and the “encrypted circuit construc- 
tion” ; it follows the approach to secure function evaluation developed by Yao |3Ej , 
but uses public-key encryption instead of pseudo-random functions for the sake of 
verifiability. Suppose Al’s private input is a binary string x A = (x AA , ■ • • , x A ,n A ) 
and B ' s private input is a binary string xb = (ib,i, • ■ • ,x B ,n B )i assume further 
w.l.o.g. that f B is represented a binary circuit consisting of NAND gates. 

Protocol S/FE(g,g 1 ,C A ,C B ,f B )(x A ,r A )(x B ,r B ) 

VI. A produces an encrypted version of the circuit computing f B . The circuit 
consists of gates and wires linking the gates. Except for input and output 
wires, each wire connects the output of one gate with the input of one or 
more other gate(s). For each wire, A chooses two random tokens So and si, 
representing bits 0 and 1 on this wire, and produces unconditionally hiding 
commitments uq and ui to these tokens. 

For each gate, A encrypts the truth table as follows: First, the bits are 
replaced by (new) commitments to the tokens representing the bits. Next, 
for each row, a “row public key” for encryption is computed and added to 
the table such that the corresponding secret key can be derived from com- 
bining the two input tokens of the row. Finally, all four rows are permuted 
randomly. 

These tables and the commitments are sent to B as an ordered list such 
that B knows which commitment represents token 0 or 1 etc. Moreover, 
A proves to B in zero-knowledge that the commitments and the encrypted 
gates are consistent, ensuring (1) that the tokens of the input and output 
wires are the same as those committed to in the truth table, (2) that the 
secret key for each row of a gate is derived correctly from the input tokens 
of the row, and (3) that each encrypted gate implements NAND. 

V2. For each row of each gate of the circuit, A and B engage in verifiable en- 
cryption of the output token under the row public key. 

V3. For each of her input bits, A sends to B the corresponding token and proves 
to him that this is consistent with her input x A committed in C A . Further- 
more, B obtains the tokens representing his input bits through n B verifiable 
oblivious transfers from A to B and A opens all the commitments of the 
output wires. 



106 



Christian Cachin and Jan Camenisch 



V4. Once B has obtained all this information, he is able to evaluate the circuit 
gate by gate on his own. 

Suppose w.l.o.g. the circuit consists of n NAND gates Gi, - ■ ■ ,Gn and n + riA + 
ns wires Wi, . . . , W n +n A +n B and has n A + nn inputs and no outputs. Wires 
Wi, . . . , W„ are output wires of the gates Gi, ■ ■ ■ , Gn- Wires W n +i, . . . , W n+nA 
are input wires of A and W n+nA+ i , . . . , W n . \- nA + nB are input wires of B. Wires 
W n _„ 0+ i, . . . , W„ are the output wires of the circuit; except for those, any wire 
is an input to at least one gate. 

The commitment to Ws input xa is Ca — {Ca, i, • ■ • , Ca,u a ), where for i = 
1, . . . , ua, a bit commitment 



Cm = g XA ’ i gi rA ’ i 

has been constructed using a random r a a. G Z g and ta = (Va,i, ■ ■ ■ XA,n A ) is a 
private input of A. 

Similarly, the commitment to B ' s input Xb is Cb = (Cb,i, . . . , Cb,ti b ), where 
for i = 1, . . . ,tib, a bit commitment 

C B ,i = g XB "g r B - 4 

has been constructed using a random tba £ 2 q and rs = (tb, i, ■ • • ,fB,n B ) is a 
private input of B. 

The details of the verifiable secure function evaluation protocol and its analy- 
sis are omitted from this extended abstract. 

6 Optimistic Fair Secure Computation Protocol 

We are now ready to describe our protocol for optimistic fair secure two-party 
computation. In short, the protocol consists of two intertwined executions of the 
verifiable secure function evaluation protocol from the previous section, where 
the output tokens are not directly revealed, but mutually escrowed with T first 
and opened later. Recall that optimistic fair secure computation involves three 
parties A , B 1 and T, in the asynchronous communication model of Definition 0 
In the following we use Protocol VOT from Section 0 and the secure escrow 
scheme based on Cramer-Shoup encryption from Section 18.41 

Common inputs are a function / : Xa x X b — > x 3^b, T ' s public key yx, 

and generators g,g\ € G. The private input of A is xa G Xa , the private input 
of B is Xb £ Xb, and the private input of T is the secret key zt corresponding 
to y T • 

Protocol FA\RCOMP(g,g 1 , f,y T )(x a) ( x B )(z T ) 

FI. A chooses ta . i , ■ ■ ■ , t a,u a computes the commitments 



= (Ca.i, . ■ • ,C A ,n A ) = {g XA ’ 1 g\ rA ' 1 1 ■ ■ ■ ,g XA ’ 7 lA gi rA,rlA ), 



Optimistic Fair Secure Computation 107 



sends C A to B , and runs with B 

PK {ai,/?i, . . .,a nA ,p nA : C AA = g ai gi' h A • •• A C A , nA = g anA gi 0nA )}- 

If B rejects any proof, it outputs _L and halts. 

F2. B chooses r B ,i, ■ ■ ■ ,Ts,n B £r computes the commitments 

Cb = (Cb A , . . . , Cb,u b ) = (<f , . • • , g XB ’ n * g 1 rB ’ n B 

sends C B to A , and runs with A 

PK {a\,p\, . . ,,a nB ,p nB : Cb , i = g ai gi 01 A • • • A C B ,n B = g anB gi 0nB )}. 

If A rejects any proof, it outputs _L and halts. 

F3. A and B invoke a modification of Protocol VFE(g, gi, C A , C B , f B )(x A , r A ) 
(. x B ,r B ), where they replace opening the commitments of the output tokens 
by escrowing them with T. That is, in Step \0 A and B run Phase I 
of the escrow scheme for each of the values Sj,0i s»,i , ri,o, fi,i tagged with 
C A \\C B \\f B \\i for * = n — no + 1, ■ ■ . ,n in the circuit computing f B . They 
interrupt Protocol VFE after Step VES (Note that T has not been involved 
so far.) 

If this fails, B simply outputs J_ and halts. 

F4. B and A invoke a modification of Protocol VFE(.g, <71, C B , C A , f A )(x B , r B ) 
( x A , r A ), where they replace opening the commitments of the output tokens 
by escrowing them with T. That is, in Step V0 B and A run Phase I 
of the escrow scheme for each of the values Sj,0i s»,i , ri,o, tagged with 
C A \\C B \\f A \\i for i = n — no + 1 ,n in the circuit computing f A . They 
interrupt Protocol VFE after Step V0 

If this fails, A invokes Protocol abort with T . If T answers abort, then A 
outputs _L and halts. If T answers resolve || transcript then A completes 
the VFE protocol computing f A as read from transcript (continuing with 
Step \Q, outputs 0 A , and halts. 

F5. A and B continue with Phase II of the escrow protocols started in Step F0 
According to this, A sends B the corresponding messages, B checks their 
contents, and if a check fails or if some message does not arrive, B invokes 
Protocol B-resolve with T . If T answers abort, then B outputs _L and halts. 
If T answers resolve || transcript then B completes the VFE protocol com- 
puting f B as read from transcript (continuing with Step V0, outputs O b , 
and halts. 

Otherwise B resumes Protocol VFE started in Step F0 with Step VEland 
obtains Ob- 

F6. B and A continue with Phase II of the escrow protocols started in Step F0 
According to this, B sends A the corresponding messages. Then B outputs 
O b and halts. 

A checks the messages received from B , and if a check fails or if some 
message does not arrive, A invokes Protocol A-resolve with T. If T answers 
abort, A outputs _L and halts. 



108 



Christian Cachin and Jan Camenisch 



If T answers resolve|| transcript then A completes the VFE protocol com- 
puting f a as read from transcript from Step MI outputs Oa, and halts. 
Otherwise A resumes Protocol VFE started in Step F0]with Step \Q outputs 
Oa , and halts. 

We now describe the sub-protocols for aborting and resolving. They also take 
place in the model of Definition E where all parties maintain internal state (pri- 
vate inputs are sometimes mentioned nevertheless). In particular, T maintains 
a list of tuples internally and processes all abort and resolve requests atomi- 
cally. Recall that the transcript of a party of a protocol consists of all messages 
received or sent by this party. 

Protocol abort is a protocol between A and T; it is invoked by A with inputs Ca 
and Cb- 

Protocol abort(< 7 , 9uf,yr)(C A ,C B ) () 

1. A sends the message (abort, CaIICbII/) to T. 

2. If T’s internal state contains an entry of the form (CCi||C.b||/, string), then 
T returns to A the message string. 

3. Otherwise, T adds the tuple {Ca \ \ Cb ||/, abort) to its internal state and 
returns to A the message abort. 

Protocol B-resolve is a protocol between B and T; it is invoked by B with in- 
put a string transcript , containing B ' s complete transcript of Steps FI- F0 in 
Protocol FAIRCOMP, which includes also Ca and Cb- 

Protocol B-resolve(g, gi, /, y T ) (transcript) ( zt) 

1. B sends the message (B-resolve, transcript) to T. 

2. If T’s internal state contains an entry of the form (Ca ||C.b||/, string), then 
T returns to B the message string and halts. 

3. Otherwise, B and T run Steps V1-V3 of Protocol VFE(g, g\, Cb, Ca, /a) 
(%B,rB)(Q) unmodified with B in the role of circuit constructor (VFE-)A 
and T in the role of circuit evaluator (VFE-)f?. They stop after Step 1 in 
Protocol VOT, before T would have to decrypt the tokens. (Thus, T’s inputs 
to the protocol may be empty.) 

If T rejects any of the proofs by B , then T adds the tuple ( Ca||Cb|| /, abort) 
to its internal state and returns to B the message abort. 

4. Otherwise, T reads the transcript sent by B and carries out its part of 
Phase II for the escrows of the tokens on the output wires for fs from 
Step FH T opens the escrows subject to all tags matching C( 4 ||Cb||/b||*. In 
other words, T runs the decryption algorithm VD(CS, zt, ■ ■ • ) and returns 
the outputs to B if all tags match, or T if one or more decryptions yield _L. 
T computes the transcript t of Protocol B-resolve and adds (CaWCbW/, 
resolve||t) to its internal state. 

Protocol A-resolve is a protocol between A and T; it is invoked by A with in- 
put a string transcript , containing her complete transcript of Steps F1-F0 in 
Protocol FAIRCOMP, which includes also Ca and Cb- 



Optimistic Fair Secure Computation 109 

Protocol A-resolve(g, gi, /, yx) (transcript) (zx) 

1. A sends the message (A-resolve, transcript) to T. 

2. If T’s internal state contains an entry of the form (CaWCs]]/, string), then 
T returns to A the message string and halts. 

3. Otherwise, A and T run Steps V1-V3 of Protocol VFE(g, gi, Ca, Cb, /b) 
(xa: 00(0) unmodified with A in the role of circuit constructor (VFE-)A 
and T in the role of circuit evaluator (VFE-)-B. They stop after Step 1 in 
Protocol VOT, before T would have to decrypt the tokens. (Thus, T’s inputs 
to the protocol may be empty.) 

If T rejects any of the proofs by A, then T adds the tuple (Ca||C'b||/, abort) 
to its internal state and returns to A the message abort. 

4. Otherwise, T reads the transcript sent by A and carries out its part of 
Phase II for the escrows of the tokens on the output wires for /a from 
Step F0] T opens the escrows subject to all tags matching CaHCAH/aII*. In 
other words, T runs the decryption algorithm VD(CS, zr , ■ ■ • ) and returns 
the outputs to A if all tags match, or T if one or more decryptions yield _L. 
T computes the transcript t of Protocol A-resolve and adds (Ca||C(b||/, 
resolve||t) to its internal state. 

Remarks about the protocol. 

1. Protocol FAIRCOMP as described above consists of seven rounds (14 moves). 
By pipelining the execution of Steps F1-F4 one can reduce this to five rounds 
(ten moves). Using non-interactive proofs in the random oracle model, this 
could even be reduced further to three rounds (six moves). 

2. A major difference between the resolve protocols here and those used for 
optimistic fair exchange of signatures |Zj is that T cannot directly replace 
the other party here. Whereas in a fair exchange of digital signatures, T can 
verify that the party requesting to resolve supplies a correct signature, T has 
to re-run almost the complete VFE protocol here. After T has done this, the 
other party is able to complete VFE and its part of the computation from 
this transcript. 

3. T does not have to know any secrets of the other party for re-running VFE. 
For instance, in Step 0of Protocol B-resolve, when B and T run Protocol VFE 
for /a (and T plays the role of A), T does not have to know anything about 
A’s secret input xa besides the commitments Ca] this follows because the 
VFE protocol is stopped after Step V3 and because of a special feature 
of the underlying Protocol VOT, in which the commitments are used for 
encryption. 

It can be shown that under the DDH assumption, Protocol FAIRCOMP is an 
optimistic fair secure computation protocol (omitted). 



Acknowledgments 

We thank Ran Canetti and Victor Shoup for helpful suggestions and discussions 
about modeling optimistic fair secure computation. 



no 



Christian Cachin and Jan Camenisch 



References 

1. N. Asokan, M. Schunter, and M. Waidner, “Optimistic protocols for fair exchange,” 
in Proc. 4th ACM Conference on Computer and Communications Security, pp. 6, 
8-17, 1997. 

2. N. Asokan, V. Shoup, and M. Waidner, “Optimistic fair exchange of digital signa- 
tures,” IEEE Journal on Selected Areas in Communications, vol. 18, pp. 591-610, 
Apr. 2000. 

3. B. Baum- Waidner and M. Waidner, “Optimistic asynchronous multi-party contract 
signing,” Research Report RZ 3078 (#93124), IBM Research, Nov. 1998. 

4. D. Beaver, “Secure multiparty protocols and zero- knowledge proof systems toler- 
ating a faulty minority,” Journal of Cryptology, vol. 4, no. 2, pp. 75-122, 1991. 

5. D. Beaver and S. Goldwasser, “Multiparty computation with faulty majority (ex- 
tended announcement),” in Proc. 30th IEEE Symposium on Foundations of Com- 
puter Science (FOCS), pp. 468-473, 1989. 

6. D. Beaver, S. Micali, and P. Rogaway, “The round complexity of secure protocols,” 
in Proc. 22nd Annual ACM Symposium on Theory of Computing (STOC), pp. 503- 
513, 1990. 

7. M. Bellare and S. Micali, “Non-interactive oblivious transfer and applications,” in 
Advances in Cryptology: CRYPTO ’89 (G. Brassard, ed.), vol. 435 of Lecture Notes 
in Computer Science, pp. 547-557, Springer, 1990. 

8. M. Ben-Or, O. Goldreich, S. Micali, and R. L. Rivest, “A fair protocol for signing 
contracts,” IEEE Transactions on Information Theory, vol. 36, pp. 40-46, Jan. 
1990. 

9. E. F. Brickell, D. Chaum, I. Damgard, and J. van de Graaf, “Gradual and verifiable 
release of a secret,” in Advances in Cryptology: CRYPTO ’87 (C. Pomerance, ed.), 
vol. 293 of Lecture Notes in Computer Science, Springer, 1988. 

10. J. Camenisch and I. Damgard, “Verifiable encryption and applications to group 
signatures and signature sharing,” Tech. Rep. RS-98-32, BRICS, Departement of 
Computer Science, University of Aarhus, Dec. 1998. 

11. J. Camenisch and M. Stadler, “Efficient group signature schemes for large groups,” 
in Advances in Cryptology: CRYPTO ’97 (B. Kaliski, ed.), vol. 1233 of Lecture 
Notes in Computer Science, pp. 410-424, Springer, 1997. 

12. R. Canetti, “Security and composition of multi-party cryptographic protocols,” 
Journal of Cryptology, vol. 13, no. 1, pp. 143-202, 2000. 

13. D. Chaum, I. Damgard, and J. van de Graaf, “Multiparty computations ensuring 
privacy of each party’s input and correctness of the result,” in Advances in Cryp- 
tology: CRYPTO ’87 (C. Pomerance, ed.), vol. 293 of Lecture Notes in Computer 
Science, Springer, 1988. 

14. D. Chaum and T. P. Pedersen, “Wallet databases with observers,” in Advances 
in Cryptology: CRYPTO ’92 (E. F. Brickell, ed.), vol. 740 of Lecture Notes in 
Computer Science, pp. 89-105, Springer- Verlag, 1993. 

15. R. Cleve, “Limits on the security of coin flips when half the processors are faulty,” 
in Proc. 18th Annual ACM Symposium on Theory of Computing (STOC), pp. 364- 
369, 1986. 

16. R. Cramer and I. Damgard, “Linear zero-knowledge — a note on efficient zero- 
knowledge proofs and arguments,” in Proc. 29th Annual ACM Symposium on The- 
ory of Computing (STOC), 1997. 

17. R. Cramer, I. Damgard, and B. Schoemakers, “Proofs of partial knowledge and 
simplified design of witness hiding protocols,” in Advances in Cryptology: CRYPTO 
’94 (Y. G. Desmedt, ed.), vol. 839 of Lecture Notes in Computer Science, 1994. 




Optimistic Fair Secure Computation 111 



18. R. Cramer and V. Shoup, “A practical public-key cryptosystem provably secure 
against adaptive chosen-ciphertext attack,” in Advances in Cryptology: CRYPTO 
’98 (H. Krawczyk, ed.), vol. 1462 of Lecture Notes in Computer Science , Springer, 
1998. 

19. C. Crepeau, J. van de Graaf, and A. Tapp, “Committed oblivious transfer and pri- 
vate multi-party computation,” in Advances in Cryptology: CRYPTO ’95 (D. Cop- 
persmith, ed.), vol. 963 of Lecture Notes in Computer Science, Springer, 1995. 

20. I. B. Damgard, “Efficient concurrent zero-knowledge in the auxiliary string model,” 
in Advances in Cryptology: EUROCRYPT 2000 (B. Preneel, ed.), vol. 1087 of 
Lecture Notes in Computer Science, pp. 418-430, Springer, 2000. 

21. D. Dolev, C. Dwork, and M. Naor, “Non-malleable cryptography (extended ab- 
stract),” in Proc. 23rd Annual ACM Symposium on Theory of Computing (STOC), 
pp. 542-552, 1991. 

22. T. ElGamal, “A public key cryptosystem and a signature scheme based on discrete 
logarithms,” IEEE Transactions on Information Theory, vol. 31, pp. 469-472, July 
1985. 

23. S. Even, O. Goldreich, and A. Lempel, “A randomized protocol for signing con- 
tracts,” Communications of the ACM, vol. 28, pp. 637-647, 1985. 

24. U. Feige, J. Kilian, and M. Naor, “A minimal model for secure computation (ex- 
tended abstract),” in Proc. 26th Annual ACM Symposium on Theory of Computing 
(STOC), pp. 554-563, 1994. 

25. O. Goldreich, “Secure multi-party computation.” Manuscript, 1998. (Version 1.1). 

26. O. Goldreich, S. Micali, and A. Wigderson, “How to play any mental game or a 
completeness theorem for protocols with honest majority,” in Proc. 19th Annual 
ACM Symposium on Theory of Computing (STOC), pp. 218-229, 1987. 

27. S. Goldwasser and L. Levin, “Fair computation of general functions in presence of 
immoral majority,” in Advances in Cryptology: CRYPTO ’90 (A. J. Menezes and 
S. A. Vanstone, eds.), vol. 537 of Lecture Notes in Computer Science, Springer, 
1991. 

28. S. Goldwasser and S. Micali, “Probabilistic encryption,” Journal of Computer and 
System Sciences, vol. 28, pp. 270-299, 1984. 

29. S. Micali, “Secure protocols with invisible trusted parties.” Presentation at the 
Workshop on Multi-Party Secure Protocols, Weizmann Institute of Science, Israel, 
June 1998. 

30. S. Micali and P. Rogaway, “Secure computation,” in Advances in Cryptology: 
CRYPTO ’91 (J. Feigenbaum, ed.), vol. 576 of Lecture Notes in Computer Sci- 
ence, pp. 392-404, Springer, 1992. 

31. M. Naor and O. Reingold, “Number- theoretic constructions of efficient pseudo- 
random functions,” in Proc. 38th IEEE Symposium on Foundations of Computer 
Science (FOCS), 1997. 

32. M. O. Rabin, “How to exchange secrets by oblivious transfer,” Tech. Rep. TR-81, 
Harvard University, 1981. 

33. C. P. Schnorr, “Efficient signature generation by smart cards,” Journal of Cryp- 
tology, vol. 4, pp. 161-174, 1991. 

34. M. Stadler, “Publicly verifiable secret sharing,” in Advances in Cryptology: EU- 
ROCRYPT ’96 (U. Maurer, ed.), vol. 1233 of Lecture Notes in Computer Science, 
pp. 190-199, Springer, 1996. 

35. A. C. Yao, “Protocols for secure computation,” in Proc. 23rd IEEE Symposium on 
Foundations of Computer Science (FOCS), pp. 160-164, 1982. 

36. A. C. Yao, “How to generate and exchange secrets,” in Proc. 27th IEEE Symposium 
on Foundations of Computer Science (FOCS), pp. 162-167, 1986. 




A Cryptographic Solution 
to a Game Theoretic Problem 



Yevgeniy Dodis 1 , Shai Halevi 2 , and Tal Rabin 2 



1 Laboratory for Computer Science, MIT, 

545 Tech Square, Cambridge, MA 02139, USA. 
yevgen@theory . lcs .mit . edu 
2 IBM T.J. Watson Research Center, 

P.O. Box 704, Yorktown Heights, New York 10598, USA. 
{shaih,talr}@watson. ibm. com 



Abstract. In this work we use cryptography to solve a game-theoretic 
problem which arises naturally in the area of two party strategic games. 
The standard game-theoretic solution concept for such games is that 
of an equilibrium, which is a pair of “self-enforcing” strategies making 
each player’s strategy an optimal response to the other player’s strategy. 
It is known that for many games the expected equilibrium payoffs can 
be much higher when a trusted third party (a “mediator”) assists the 
players in choosing their moves ( correlated equilibria ), than when each 
player has to choose its move on its own ( Nash equilibria). It is natural 
to ask whether there exists a mechanism that eliminates the need for 
the mediator yet allows the players to maintain the high payoffs offered 
by mediator-assisted strategies. We answer this question affirmatively 
provided the players are computationally bounded and can have free 
communication (so-called “cheap talk”) prior to playing the game. 

The main building block of our solution is an efficient cryptographic 
protocol to the following Correlated Element Selection problem, which 
is of independent interest. Both Alice and Bob know a list of pairs 
(ai,6i) . . . ( a n ,b n ) (possibly with repetitions), and they want to pick a 
random index i such that Alice learns only m and Bob learns only bi. 
Our solution to this problem has constant number of rounds, negligi- 
ble error probability, and uses only very simple zero-knowledge proofs. 
We then show how to incorporate our cryptographic protocol back into 
a game- theoretic setting, which highlights some interesting parallels be- 
tween cryptographic protocols and extensive form games. 



1 Introduction 

The research areas of Game Theory and Cryptography are both extensively 
studied fields with many problems and solutions. Yet, the cross-over between 
them is surprisingly small: very rarely are tools from one area borrowed to ad- 
dress problems in the other. Some examples of using game-theoretic concepts to 
solve cryptographic problems include the works of Fischer and Wright HU and 

M. Bellare (Ed.): CRYPTO 2000, LNCS 1880, pp. 112- 1751 2000. 

(c) Springer- Verlag Berlin Heidelberg 2000 



A Cryptographic Solution to a Game Theoretic Problem 



113 



Kilian m- In this paper we show an example in the other direction of how cryp- 
tographic tools can be used to address a natural problem in the Game Theory 
world. 



1.1 Two Player Strategic Games 

The game-theoretic problem that we consider in this work belongs to the general 
area of two player strategic games , which is an important field in Game Theory 
(see In the most basic notion of a two player game, there are two players, 

each with a set of possible moves. The game itself consists of each player choosing 
a move from its set, and then both players executing their moves simultaneously. 
The rules of the game specify a payoff function for each player, which is computed 
on the two moves. Thus, the payoff of each player depends both on its move and 
the move of the other player. A strategy for a player is a (possibly randomized) 
method for choosing its move. A fundamental assumption of these games, is that 
each player is rational, i.e. its sole objective is to maximize its (expected) payoff. 

A pair of players’ strategies achieves an equilibrium when these strategies 
are self- enforcing, i.e. each player’s strategy is an optimal response to the other 
player’s strategy. In other words, once a player has chosen a move and believes 
that the other player will follow its strategy, its (expected) payoff will not increase 
by changing this move. This notion was introduced in the classical work of Nash 

EH- 

In a Nash equilibrium , each player chooses its move independently of the other 
player. (Hence, the induced distribution over the pairs of moves is a product 
distribution.) Yet, Aumann |j2J showed that in many games, the players can 
achieve much higher expected payoffs, while preserving the “self-enforcement” 
property, if their strategies are correlated (so the induced distribution over the 
pairs of moves is no longer a product distribution) . To actually implement such a 
correlated equilibrium, a “trusted third party” (called a mediator) is postulated. 
This mediator chooses the pair of moves according to the right joint distribution 
and privately tells each player what its designated move is. Since the strategies 
are correlated, the move of one player typically carries some information (not 
known a-priori) on the move of the other player. In a correlated equilibrium, no 
player has an incentive to deviate from its designated move, even knowing this 
extra information about the other player’s move. 

1.2 Removing the Mediator 

As the game was intended for two players, it is natural to ask if correlated equi- 
libria can be implemented without actually having a mediator. In the language 
of cryptography, we ask if we can design a two party game to eliminate the 
trusted third party from the original game. It is well known that in the standard 
cryptographic models the answer is positive, provided that the two players can 
interact, that they are computationally bounded, and assuming some standard 
hardness assumptions (IZ2EBI). We show that this positive answer can be carried 
over to the Game Theory model as well. Specifically, we consider an extended 



114 Yevgeniy Dodis, Shai Halevi, and Tal Rabin 



game , in which the players first exchange messages (this part is called “cheap 
talk” by game theorists and is quite standard; see Myerson m for survey), 
and then choose their moves and execute them simultaneously as in the original 
game. The payoffs are still computed as a function of the moves, according to 
the same payoff function as in the original game. 

It is very easy to see that every Nash equilibrium payoff of the extended game 
is also a correlated equilibrium payoff of the original game (the mediator can 
simulate the pre-play communication stage) . Our hope would be to show that any 
Correlated equilibrium payoffs of the original game can always be achieved by 
some Nash equilibrium of the extended game. However, Barany [Sj showed that 
this is generally not true. Namely, that Nash equilibria payoffs of the extended 
game are inside the convex hull of the Nash equilibria payoffs of the original 
game, which often does not include many correlated equilibria payoffs of the 
original game (see Section Q for an example). 

In this work we overcome this difficulty by considering the realistic scenario 
where the players are computationally bounded. In other words, while Game 
Theory typically assumes that the players have unlimited computational capa- 
bilites when they need to make their decisions, we will assume that the players 
are restricted to probabilistic polynomial time. Of independent interest to Game 
Theory, we will define a new concept of a computational Nash equilibrium as 
a pair of efficient strategies where no polynomially bounded player can gain a 
non-negligible advantage by not following its strategy (see Section 0 for formal 
definitions). Then, we prove the following: 

Theorem 1. Let G be any two player strategic game and let G' be the extended 
game of G. If secure two-party protocols exist for non-trivial functions, then for 
any correlated equilibrium s of G there exists a computational Nash equilibrium 
a of G' , such that the payoffs for both players are the same in a and s. 

In other words, any correlated equilibrium payoffs of G can be achieved using 
a computational Nash equilibrium of G' . Thus, the mediator can be eliminated 
if the players are computationally bounded and can communicate prior to the 
game. 

We stress that although this theorem seem quite natural and almost trivial 
from a cryptography point of view, the models of Game Theory and Cryp- 
tography are significantly different, and thus proving it in the Game Theory 
framework requires some care. In particular, two-party cryptographic protocols 
always assume that at least one player is honest, while the other player could 
be arbitrarily malicious. In the game-theoretic setting, on the other hand, both 
players are selfish and rational : they (certainly) deviate from the protocol if they 
benefit from it, and (can be assumed to) follow their protocol otherwise. Also, 
it is important to realize that in this setting we cannot use cryptography to 
“enforce” honest behavior. This is due to the fact that a “cheating player” who 
was “caught cheating” during the protocol, can still choose a move that would 
maximizes its profit. We discuss these and some other related issues further in 
Section Q 



A Cryptographic Solution to a Game Theoretic Problem 



115 



1.3 Doing It Efficiently 

Although the assumption of Theorem ^ can be proven using tools of generic 
two-party computations E5E31 . it would be nice to obtain computational Nash 
equilibria (i.e. protocols) which are more efficient than the generic ones. In Sec- 
tion 0 we observe that for many cases, the underlying cryptographic problem 
reduces to a problem which we call Correlated Element Selection. We believe 
that this natural problem has other cryptographic application and is of inde- 
pendent interest. In this problem, two players, A and B , know a list of pairs 
(ai, &i), . . . , (a n , b n ) (maybe with repetitions), and they need to jointly choose 
a random index i, so that player A only learns the value and player B only 
learns the value fejQ Our final protocol for this problem is very intuitive, has con- 
stant number of rounds, negligible error probability, and uses only very simple 
zero-knowledge proofs. 

Our protocol for Correlated Element Selection uses as a tool a useful primi- 
tive which we call blindable encryption (which can be viewed as a counterpart of 
blindable signatures HDD- Stated roughly, blindable encryption is the following: 
given an encryption c of an (unknown) message m, and an additional message m ' , 
a random encryption of m + m! can be easily computed. This should be done 
without knowing m or the secret key. Examples of semantically secure blind- 
able encryption schemes (under appropriate assumptions) include Goldwasser- 
Micali (SI, ElGamal (03 and Benaloh 0. (In fact, for our Correlated Element 
Selection protocol, it is sufficient to use a weaker notion of blindability, such as 
the one in ESI-) Aside from our main application, we also observe that blindable 
encryption appears to be a very convenient tool for devising efficient two-party 
protocols and suggest that it might be used more often. (For example, in the 
full version of this paper we show a very simple protocol to achieve l - out- of -n 
Oblivious Transfer protocol from any secure blindable encryption scheme.) 

1.4 Related Work 

Game Theory. Realizing the advantages of removing the mediator, various pa- 
pers in the Game Theory community have been published to try and achieve 
this goal. Similarly to our work, Barany |3j shows that the mediator can be 
replaced by pre-play communication but he requires four or more players for 
this communication, even for a game which is intended for two players. In his 
protocol only two players participate as “decision makers” during the pre-play 
communication, and (at least two) other players help them to hide information 
from each other (as Barany showed, two players do not suffice). Barany’s proto- 
col works in an information-theoretic setting (which explains the need for four 
players; see @.) Of course, if one is willing to use a group of players to simulate 
the mediator, then the general multiparty computation tools (e.g. EE!) can 

1 A special case of Correlated Element Selection when ai = bi is just the standard 
coin-flipping problem f?j. However, this is a degenerate case of the problem, since it 
requires no secrecy. In particular, none of the previous coin-flipping protocols seem 
to extend to solve our problem. 



116 Yevgeniy Dodis, Shai Halevi, and Tal Rabin 



also be used, even though the solution of Q is simpler. Forges pfmj extends 
these results to more general classes of games. The work of Lehrer and Sorin m 
describes protocols that “reduce” the role of the mediator (the mediator receives 
private signals from the players and makes deterministic public announcements) . 
Mailath et al. m show that the set of correlated equilibria of the original game 
coincides with the set of Nash equilibria of the so called “local-interaction game” 
(where many players are paired up randomly and play the original game). The 
distinguishing feature of our work is the observation that placing realistic com- 
putational restrictions on the players allows them to achieve results which are 
provably impossible when the players are computationally unbounded. 

Cryptography. We already mentioned the relation of our work to generic two- 
party secure computations P 2 E 3 - We note that some of our techniques (in par- 
ticular, the zero-knowledge proofs) are similar to those used for mixing networks 
(see |I1 125) and the references therein) , even though our usage and motivation are 
quite different. Additionally, encryption schemes with various “blinding proper- 
ties” were used for many different purposes, including among others for secure 
storage EH, and secure circuit evaluations ESI- 

2 Background in Game Theory 

Two-player Games. Although our results apply to a much larger class of two- 
player games, we demonstrate them on the simplest possible class of finite strate- 
gic games (with complete information). Such a game G has two players 1 and 
2 , each of whom has a finite set A,; of possible actions and a payoff function 
Ui : Ai x A 2 K > R [i = 1 , 2), known to both players. The players move simul- 
taneously, each choosing an action £ Ai. The payoff of player i is 14(01, CI2). 
The (probabilistic) algorithm that tells player i which action to take is called 
its strategy , and a pair of strategies is called a strategy profile. In our case, a 
strategy Si of player i is simply a probability distribution over its actions Ai, 
and a strategy profile s = (si,S2) is a probability distribution over A\ x A 2 . 
Classical Game Theory assumes that each player is selfish and rational, i.e. only 
cares about maximizing its (expected) payoff. As a result, we are interested in 
strategy profiles that are self-enforcing. In other words, even knowing the strat- 
egy of the other player, each player still has no incentive to deviate from its own 
strategy. Such a strategy profile is called an equilibrium. 



Nash equilibrium. This is the best known notion of an equilibrium m It cor- 
responds to a strategy profile in which players’ strategies are independent. More 
precisely, the induced distribution over the pairs of actions, must be a product 
distribution, s(Ai x A 2 ) = si(Ai) x s 2 (A 2 ). Deterministic (or pure) strategies are 
a special case of such strategies, where Si assigns probability 1 to some action. 
For strategies Si and S2, we denote by Ui(si,s 2 ) the expected payoff for player i 
when players independently follow si and S2. 



A Cryptographic Solution to a Game Theoretic Problem 



117 



Definition 1 . A Nash equilibrium of a game G is an independent strategy pro- 
file (s*^), such that for any cii £ A\, 02 £ A 2 , we have u^s^s?;) > ui(ai,S2) 
and u 2 (s^ , ^2) > u 2 {s* l ,a 2 ). 

In other words, given that player 2 follows sj, sf is an optimal response of player 

1 and vice versa. 

Correlated equilibrium. While Nash equilibrium is quite a natural and appealing 
notion (since players can follow their strategies independently of each other), 
one can wonder if it is possible to achieve higher expected payoffs if one allows 
correlated strategies. 

In a correlated strategy profile 2 j, the induced distribution over A\ x A 2 
can be an arbitrary distribution, not necessarily a product distribution. This 
can be implemented by having a trusted party (called mediator ) sample a pair 
of actions (01,02) according to some joint probability distribution s(Ai x A 2 ), 
and “recommend” the action Oj to player i. We stress that knowing a^, player i 
now knows a conditional distribution over the actions of the other player (which 
can be different for different a^’s), but knows nothing more. We denote these 
distributions by s 2 (- | 01) and si(- | a 2 ). 

For any a\ £ Ai, a ' 2 £ A 2 , let Ui(a' 1 ,s 2 | Oi) be the expected value of 
ui(a' 1 ,a 2 ) when a 2 is distributed according to S2O | ai) (similarly for u 2 (si,a 2 | 
02)). In other words, 1x1(01,52 | ai) measures the expected payoff of player 1 if 
his recommended action was oi (thus, a 2 is distributed according to S2O | ai)), 
but it decided to play a'i instead. As before, we let ufs) be the expected value of 
Uj(ai, 02) when (ai, 02) are drawn according to s. Similarly to Nash equilibrium, 
a more general notion of a correlated equilibrium is defined, which ensures that 
players have no incentive to deviate from the “recommendation” they got from 
the mediator. 

Definition 2 . A correlated equilibrium is a strategy profile s* = s*(Ai x A 2 ) = 
(s*, sj) , such that for any (a*, a?;) in the support of s* , any ai £ A\ and a 2 £ A 2 , 
we have r«i(a*, sj | aj) > rti(ai, | a{) and u 2 (sl, a 2 \ a%) > u 2 (sl, a 2 \ a 2 ). 

Given Nash (resp. Correlated) equilibrium (s*,S2), we say that (s^sj) achieves 
Nash (resp. Correlated) equilibrium payoffs [ui(s*, sj), U2(st, sj)]- 

Correlated equilibria of any game form a convex set, and therefore always 
include the convex hull of Nash equilibria. However, it is well known that cor- 
related equilibria can give equilibrium payoffs outside (and significantly better!) 
than anything in the convex hull of Nash equilibria payoffs. This is demon- 
strated in the following simple example first observed by Aumann 3 , who also 
defined the notion of correlated equilibrium. Much more dramatic examples can 
be shown in larger games H 

Game of “Chicken”. We consider a simple 2 x 2 game, the so-called game of 
“Chicken” shown in the table to the right. Here each player can either “dare” 

2 For example, there are games with a unique Nash equilibrium s and many Correlated 
equilibria giving both players much higher payoffs than s. 



118 Yevgeniy Dodis, Shai Halevi, and Tal Rabin 



( D ) or “chicken out” ( C ). The combination (D,D) has a devastating effect 
on both players (payoffs [0,0]), (C,C) is quite good (payoffs [4,4]), while each 
player would ideally prefer to dare while the other 
chickens-out (giving him 5 and the opponent 1). While 
the “wisest” pair of actions is ( C,C ), this is not a Nash 
equilibrium, since both players are willing to deviate to D 
(believing that the other player will stay at C). The game 
is easily seen to have three Nash equilibria: s 1 = ( D,C ), 
s 2 = (C, D) and s 3 = (± • D + \ ■ C, \ ■ D + \ ■ C). 

The respective Nash equilibrium payoffs are [5,1], [1,5] 
and [§,§]■ We see that the first two pure strategy Nash 
equilibria are “unfair”, while the last mixed equilibrium 
has small payoffs, since the mutually undesirable outcome 
(D, D) happens with non-zero probability 1 in the product 
distribution. The best “fair” strategy profile in the convex 
hull of the Nash equilibria is the combination Is 1 + \s 2 = 

(\(C,D) + 1( D,C )), yielding payoffs [3,3]. On the other 
hand, the profile s* = (\{C,D) + \{D,C) + \{C,C)) is 
a correlated equilibrium, yielding payoffs [3|,3|] outside 
any convex combination of Nash equilibria. 

To briefly see that this is a correlated equilibrium, consider the “row player” 
1 (same works for player 2) . If it is recommended to play C, its expected payoff 
is|-4+|-l=§ since, conditioned on a\ = C, player 2 is recommended to play 
C and D with probability 1 each. If player 1 switched to D, its expected payoff 
would still be \ ■ 5 + | • 0 = §, making player 1 reluctant to switch. Similarly, if 
player 1 is recommended D, it knows that player 2 plays C (as ( D,D ) is never 
played in s*), so its payoff is 5. Since this is the maximum payoff of the game, 
player 1 would not benefit by switching to C in this case. Thus, we indeed have 
a correlated equilibrium, where each player’s payoff is |(1 + 5 + 4) = 3|, as 
claimed. 





C 


D 


c 


4,4 


1,5 


D 


5,1 


0,0 




Chicken’ 




C 


D 


C 


1/4 


1/4 


D 


1/4 


1/4 


Mixed Nash 




C 


D 


C 


1/3 


1/3 


D 


1/3 


0 



Correlated s* 



3 Implementing the Mediator 



In this section we show how to remove the mediator using cryptographic means. 
We assume the existence of generic secure two-party protocols and show how to 
achieve our goal by using such protocols in the game- theoretic (rather than its 
designated cryptographic) setting. In other words, the players remain selfish and 
rational, even when running the cryptographic protocol. In Section 0we give an 
efficient implementation for the types of cryptographic protocols that we need. 

Extended Games. To remove the mediator, we assume that the players are (1) 
computationally bounded and (2) can communicate prior to playing the original 
game, which we believe are quite natural and minimalistic assumptions. To for- 
mally define the computational power of the players, we introduce an external 



A Cryptographic Solution to a Game Theoretic Problem 



119 



security parameter into the game, and require that the strategies of both players 
can be computed in probabilistic polynomial time in the security parameter 0 

To incorporate communication into the game, we consider an extended game , 
which is composed of three parts: first the players are given the security param- 
eter and they freely exchange messages (i.e., execute any two-party protocol), 
then each player locally selects its move, and finally both players execute their 
move simultaneously. The final payoffs u! i of the extended game are just the corre- 
sponding payoffs of the original game applied to the players’ simultaneous moves 
at the last step. 

The notions of a strategy and a strategy profile are straightforwardly general- 
ized from those of the basic game, except that they are full-fledged probabilistic 
algorithms telling each player what to do in each situation. We now define the 
notion of a computational Nash equilibrium of the extended game, where the 
strategies of both players are restricted to probabilistic polynomial time (PPT). 
Also, since we are talking about a computational model, the definition must 
account for the fact that the players may break the underlying cryptographic 
scheme with negligible probability (e.g., by guessing the secret key), thus gaining 
some advantage in the game. In the definition and discussion below, we denote 
by negl(k) some function that is negligible in k. 

Definition 3. A computational Nash equilibrium of an extended game G is an 
independent strategy profile (cr *, 03 ), such that 

(a) both al, <r 2 are PPT computable; and 

(b) for any other PPT computable strategies a[,c r 2 , we have 

ui(a[, a 2 ) < Ui(al, a 2 ) + negl(k) and ^(crj, cr 2 ) < a 2 ) + negl(k). 

We notice that the new “philosophy” for both players is still to maximize their 
expected payoff, except that the players will not change their strategy if their 
gain is negligible. 

The idea of getting rid of the mediator is now very simple. Consider a cor- 
related equilibrium s(Ai x A 2 ) of the original game G. Recall that the job of 
the mediator is to sample a pair of actions (ai, CI 2 ) according to the distribution 
s, and to give cq to player i. We can view the mediator as a trusted party who 
securely computes a probabilistic (polynomial-time) function s. Thus, to remove 
it we can have the two players execute a cryptographic protocol P that securely 
computes the function s. The strategy of each player would be to follow the 
protocol P, and then play the action a that it got from P. 

Yet, several issues have to be addressed in order to make this idea work. First, 
the above description does not completely specify the strategies of the players. A 
full specification of a strategy must also indicate what a player should do if the 
other player deviates from its strategy (in our case, does not follow the protocol 
P). While cryptography does not address this question (beyond the guarantee 
that the other player is likely to detect the deviation and abort the protocol), it is 

3 Note that the parameters of the original game (like the payoff functions, the corre- 
lated equilibrium distribution, etc.) are all independent of the security parameter, 
and thus can always be computed “in constant time”. 



120 Yevgeniy Dodis, Shai Halevi, and Tal Rabin 



crucial to resolve it in our setting, since “the game must go on”: No matter what 
happens inside P, both players eventually have to take simultaneous actions, 
and receive the corresponding payoffs (which they wish to maximize). Hence 
we must explain how to implement a “punishment for deviation” within the 
game-theoretic framework. 

Punishment for Deviations. We employ the standard game-theoretic solution, 
which is to punish the cheating player to his minmax level. This is the smallest 
payoff that one player can “force” the other player to have. Namely, the minmax 
level of player 2 is V 2 = min Sl max S2 U 2 (si, S 2 ). Similarly, minmax level of player 
1 is v\ = min S2 max Sl ni(si, S 2 ). To complete the description of our proposed 
equilibrium, we let each player punish the other player to its minmax level, if the 
other player deviates from P and is “caught”. Namely, if player 2 cheats, player 1 
will play in the last stage of the game the strategy si achieving the minmax payoff 
V 2 for player 2 and vice versa. Note that the instances where a player deviates 
from P but this is not detected falls under the negligible probability that the 
protocol will fail. Note also that in “interesting” games, the minmax payoff would 
be strictly smaller than the correlated equilibrium payoffs. Intuitively, in this 
case the only potentially profitable cheating strategy is an “honest but curious” 
behavior, where a player follows the prescribed protocol but tries nonetheless 
to learn additional information about the action of the other player. Any other 
cheating strategy would carry an overwhelming probability of “getting caught”, 
hence causing a real loss. Thus, we first observe the following simple fact: 

Lemma 1. Let s* = (s*^) be a correlated equilibrium. For any action a\ of 
player 1 which occurs with non-zero probability in s*, denote piffli) = u\(a\, sJIai). 
That is, p(a±) is the expected payoff of player 1 when its recommended action is 
a±. Similarly, we define for player 2 p, 2 ( 02 ) = U 2 (s\\a 2 , 02 ). 

Let Vi be the minmax payoff of player i, then for every ai, <22 that occur with 
non-zero probability in s* , it holds that Pi(ai) > Vj. 

Theorem ^ now follows almost immediately from Lemma Q and the security of 
P. Intuitively, since (a) a cheating player that “gets caught” is going to lose by 
Lemma ^ and (b) the security of P implies that cheating is detected with very 
high probability, we get that the risk of getting caught out-weights the benefits 
of cheating, and players will not have an incentive to deviate from the protocol 
P. (A particular type of cheating in P is “early stopping”. Since the extended 
game must always result in players getting payoffs, early stopping is not an issue 
in game theory, since it will be punished by the minmax level as well.) 

Somewhat more formally, let v\ = rti(s*, s?;), and consider that 1 is a cheating 
player who uses some arbitrary (but PPT computable) strategy (the analysis 
for player 2 is similar). Let the action taken by player 1 in the extended game 
be considered its output of the protocol. The output of player 2 is whatever is 
specified in its part of the protocol P, which is either an action (if the protocol 
runs to completion) or “abort” (if some “cheating” is detected). 

According to standard definitions of secure protocols (e.g., the one by 
Canetti 0), P is secure if the above output pair can be simulated in an “ideal 



A Cryptographic Solution to a Game Theoretic Problem 



121 



model” . This “ideal model” is almost exactly the model of the trusted mediator, 
except that player 1 may choose to have the mediator abort before it recom- 
mends an action to player 2 (in which case the output of player 2 in the ideal 
model is also “abort” ) . The security of P implies that the output distribution in 
the execution of the protocol in the “real world” is indistinguishable from that 
of the “ideal world” . 

Consider now the function -Lt! (-, -), which denotes the “payoff of player 1 ” 
in the extended game, given a certain output pair. That is, if the output is a 
pair of actions (01,02) than (01,02) = 1(1(01,02), and if the output of the 
second player is “abort” then 01(01, “abort”) = 01(01,02), where 02 is the min- 
max move for player 2 . Note that in the real world, the function u\ indeed 
represents the payoff of player 1 using strategy s'i, but note also that this func- 
tion is well defined even in the ideal world. Clearly, the expected value of U\ in 
the real world is at most negligibly higher than in the ideal world. Otherwise, 
the output distributions in the two worlds could be distinguished with a non- 
negligible advantage by comparing the value of this function to some properly 
chosen threshold, contradicting the security of the protocol P. 

Therefore, to prove Theorem [0 it is sufficient to show that the expected 
value of u\ in the ideal world is at most v\ (which is equal to the correlated 
equilibrium payoff of player 1 in the original game G). This is where we use 
Lemma Q this lemma tells us that in the ideal world, no matter what action 
that is recommended to player 1 , this player cannot increase the expected value 
of u\ by aborting the mediator before it recommends an action to player 2 . 
Hence, we can upper bound the expected value of U\ in the ideal world by 
considering a strategy of player 1 that never aborts the mediator. Such strategy 
corresponds exactly to a strategy in the original game G (with the mediator), 
and so it cannot achieve expected payoff of more than v\. This completes the 
proof. 

Subgame Perfect Equilibrium. In looking at the computational Nash equilib- 
rium we constructed, one may wonder why would a player want to carry out 
the “minmax punishment” when it catches the other player cheating (since this 
“punishment” may also hurt the “punishing player”). The answer is that the 
notion of Nash equilibrium only requires player’s actions to be optimal provided 
the other player follows its strategy. Thus, it is acceptable to carry out the pun- 
ishment even if this results in a loss for both players. We note that this oddity 
(known as an “empty threat” in the game-theoretic literature) is one of the rea- 
son the concept of Nash equilibrium is considered weak in certain situations. As 
a result, game theorists often consider a stricter version of a Nash equilibrium 
for extended games, called a subgame perfect equilibrium. 

In the full version we show that Theorem Q can be broadened to the case 
of the subgame perfect equilibrium. Generally stated, we prove that every “in- 
teresting” correlated-equilibrium payoff of the game G can be achieved by a 
subgame perfect equilibrium of an extended game G' . 



122 Yevgeniy Dodis, Shai Halevi, and Tal Rabin 



4 The Correlated Element Selection Problem 

In most common games, the joint strategy of the players is described by a 
short list of pairs {(movel, move2)}, where the strategy is to choose at ran- 
dom one pair from this list, and have Player 1 play movel and Player 2 play 
move2. (For example, in the game of chicken the list consists of three pairs 
{(D,C),(C,D),(C,C)}.fl 

Hence, to obtain an efficient solution for such games, we need an efficient 
cryptographic protocol for the following problem: Two players, A and 5, know 
a list of pairs (ai, &i), . . . , (a„, b n ) (maybe with repetitions), and they need to 
jointly choose a random index i, and have player A learn only the value a* and 
player B learn only the value b t . We call this problem the Correlated Element 
Selection problem. In this section we describe our efficient solution for this prob- 
lem. We start by presenting some notations and tools that we use (in particular, 
“blindable encryption schemes”). We then show a simple protocol that solves 
this problem in the special case where the two players are “honest but curious” , 
and explain how to modify this protocol to handle the general case where the 
players can be malicious. 

4.1 Notations and Tools 

We denote by [n] the set {1,2, ...n}. For a randomized algorithm A and an 
input x, we denote by A(x) the output distribution of A on x, and by A(x\ r) 
we denote the output string when using the randomness r. If one of the inputs 
to A is considered a “key”, then we write it as a subscript (e.g., Ak{x)). We use 
pk,pki,pk 2 , ... to denote public keys and sk, ski , sfc 2j ■ ■ • to denote secret keys. 

The main tool that we use in our protocol is blindable encryption schemes. 
Like all public- key encryption schemes, blindable encryption schemes include 
algorithms for key-generation, encryption and decryption. In addition they also 
have a “blinding” and “combining” algorithms. We denote these algorithms by 
Gen, Enc, Dec , Blind , and Combine , respectively. Below we formally define the 
blinding and combining functions. In this definition we assume that the message 
space M forms a group (which we denote as an additive group with identity 0). 

Definition 4 (Blindable encryption). A public-key encryption scheme £ is 
blindable if there exist (PPT) algorithms Blind and Combine such that for every 
message m and every ciphertext c G Enc p k(m): 

— For any message m' (also referred to as the “blinding factor'’ ) , Blind p k(c , m') 
produces a random encryption of m + m! . Namely, the distribution 
Blind p k(c,m') should be equal to the distribution Enc p k(m + mf). 

Enc p k(m + m ') = Blind p k{c, m') (1) 

4 Choosing from the list with distribution other than the uniform can be accommo- 
dated by having a list with repetitions, where a high-probability pair appears many 
times. 



A Cryptographic Solution to a Game Theoretic Problem 



123 



— If r±,r 2 are the random coins used by two successive '‘blindings'’ , then for 
any two blinding factors mi, m 2 , 

Blindpk (Blindpk (c, m \ ; ?r),m 2 ; r 2 ) 

= Blind p k(c,mi + m 2 ; Combine p k{ri,r 2 )) (2) 

Thus, in a blindable encryption scheme anyone can “randomly translate” the 
encryption c of m into an encryption d of m + in’ , without knowledge of m or 
the secret key, and there is an efficient way of “combining” several blindings into 
one operation. 

Both the ElGamal and the Goldwasser-Micali encryption schemes can be ex- 
tended into blindable encryption schemes. We note that most of the components 
of our solution are independent of the specific underlying blindable encryption 
scheme, but there are some aspects that still have to be tailored to each scheme. 
(Specifically, proving that the key generation process was done correctly is han- 
dled differently for different schemes. See details in the full paper m 

4.2 A Protocol for the Honest-but-Curious Case 

For the case of honest-but-curious players, one can present an “almost trivial” 
solution using any 1-out-of-n oblivious transfer protocol. However, in order to 
be able to derive an efficient protocol also for the general case, our starting point 
would be a somewhat different (but still very simple) protocol. 

Let us recall the Correlated Element Selection problem. Two players share a 
public list of pairs {(a^, 6,;)}” =] . For reasons that will soon become clear, we call 
the two players the “Preparer” (P) and the “Chooser” (C). The players wish to 
pick a random index i such that P only learns and C only learns bi. Figure [Q 
describes the Correlated Element Selection protocol for the honest-but-curious 
players. We employ a semantically secure blindable encryption scheme and for 
simplicity, we assume that the keys for this scheme were chosen by a trusted 
party ahead of time and given to P, and that the public key was also given to 
C. 

At the beginning of the protocol, the Preparer randomly permutes the list, 
encrypts it element-wise and sends the resulting list to the Chooser. (Since the 
encryption is semantically secure, the Chooser “cannot extract any useful in- 
formation” about the permutation 7 r.) The Chooser picks a random pair of ci- 
phertexts ( cl , df) from the permuted list (so the final output pair will be the 
decryption of these ciphertexts). It then blinds q with 0 (i.e. makes a random 
encryption of the same plaintext), blinds di with a random blinding factor (3, 
and sends the resulting pair of ciphertexts (e, /) back to the Preparer. Decryp- 
tion of e gives the Preparer its element a (and nothing more, since e is a random 
encryption of a after the blinding with 0), while the decryption b of f does not 
convey the value of the actual encrypted message since it was blinded with a 
random blinding factor. The Preparer sends b to the Chooser, who recovers his 
element b by subtracting the blinding factor (3. 

It is easy to show that if both players follow the protocol then their output 
is indeed a random pair ( ai , bi) from the known list. Moreover, at the end of the 



124 Yevgeniy Dodis, Shai Halevi, and Tal Rabin 



Protocol CES-1 


Common inputs: List of pairs {(a;, bi)}™ =1 , public key pk. 
Preparer knows: secret key sk. 


P : 


1. Permute and Encrypt. 

Pick a random permutation 7r over [n]. 

Let ( a,di ) = (Encpkia^^)), Enc p k(b „ (i ))), for all i £ [n]. 
Send the list {(d, di)}( =1 to C. 


C : 


2. Choose and Blind. 

Pick a random index £ £ [n], and a random blinding factor (3. 
Let (e, /) = (Blind p k(ce, 0), Blind pk (de, /3)). 

Send (e, /) to P. 


P : 


3. Decrypt and Output. 

Set a = Dec s k{e), b = Dec 3 k{f). Output a. 
Send b to C. 


C : 


4 . Unblind and Output. 

Set b = b — (3- Output b. 



Fig. 1. Protocol for Correlated Element Selection in the honest-but-curious model. 



protocol the Preparer has no information about b other than wlrat’s implied by 
its own output a, and the Chooser gets “computationally no information” about 
a other than what’s implied by b. Hence we have: 

Theorem 2. Protocol CES-1 securely computes the (randomized) function of the 
Correlated Element Selection problem in the honest-but-curious model. 

Proof omitted. 

4.3 Dealing with Dishonest Players 

Generic transformation. Following the common practice in the design of secure 
protocols, one can modify the above protocol to deal with dishonest players by 
adding appropriate zero-knowledge proofs. That is, after each flow of the origi- 
nal protocol, the corresponding player proves in zero knowledge that it indeed 
followed its prescribed protocol: After Step 1, the Preparer proves that it knows 
the permutation tt that was used to permute the list. After Step 2 the Chooser 
proves that it knows the index £ and the blinding factor that was used to produce 
the pair (e,/). Finally, after Step 3 the Preparer proves that the plaintext b is 
indeed the decryption of the ciphertext /. Given these zero- knowledge proofs, 
one can appeal to general theorems about secure two-party protocols, and prove 
that the resulting protocol is secure in the general case of potentially malicious 
players. 





A Cryptographic Solution to a Game Theoretic Problem 



125 



We note that the zero-knowledge proofs that are involved in this protocol can 
be made very efficient, so even this “generic” protocol is quite efficient (these are 
essentially the same proofs that are used for mix-networks in HQ, see description 
in the full paper). However, a closer look reveals that one does not need all 
the power of the generic transformation, and the protocol can be optimized in 
several ways. Some of the optimizations are detailed below, while protocols for 
the zero-knowledge proofs and issues of key generation can be found in the full 
paper m ■ The resulting protocol CES-2 is described in Figure 0 

Theorem 3. Protocol CES-2 securely computes the (randomized) function of the 
Correlated Element Selection problem. 

Proof omitted. 

Proof of proper decryption. To withstand malicious players, the Preparer P 
must “prove” that the element b that it send in Step 3 of CES-1 is a proper 
decryption of the ciphertext /. However, this can be done in a straightforward 
manner without requiring zero-knowledge proofs. Indeed, the Preparer can reveal 
additional information (such as the randomness used in the encryption of /), as 
long as this extra information does not compromise the semantic security of the 
ciphertext e. The problem is that P may not be able to compute the randomness 
of the blinded value / (for example, in ElGamal encryption this would require 
computation of discrete log). Hence, we need to devise a different method to 
enable the proof. 

The proof will go as follows: for each i £ [n], the Preparer sends the element 
and corresponding random string that was used to obtain ciphertexts di in 
the first step. The Chooser can then check that the element dc that it chose in 
Step 2 was encrypted correctly, and learn the corresponding plaintext. 

Clearly, in this protocol the Chooser gets more information than just the 
decryption of / (specifically, it gets the decryption of all the df s). However, 
this does not affect the security of the protocol, as the Chooser now sees a 
decryption of a permutation of a list that he knew at the onset of the protocol. 
This permutation of the all bfs does not give any information about the output 
of the Preparer, other than what is implied by its output b. In particular, notice 
that if b appears more than once in the list, then the Chooser does not know 
which of these occurrences was encrypted by dg. 

Next, we observe that after the above change there is no need for the Chooser 
to send / to the Preparer; it is sufficient if C sends only e in Step 2, since it can 
compute the decryption of dc by itself. 

A weaker condition in the second proof-of-knowledge. Finally, we observe that 
since the security of the Chooser relies on an information-theoretic argument, 
the second proof-of-knowledge (in which the Chooser proves that it knows the 
index £) does not have to be fully zero-knowledge. In fact, tracing through the 
proof of security, one can verify that it is sufficient for this proof to be witness 
independent in the sense of Feige and Shamir KEJ. 



126 Yevgeniy Dodis, Shai Halevi, and Tal Rabin 

Protocol CES-2 

Common inputs: List of pairs {(cp, 6;)}" =1 , public key pk. 

Preparer knows: secret key sk. 

P : 1. Permute and Encrypt. 

Pick a random permutation n over [n], and random strings {(Yi, Si)}" =1 . 
Let (ci, di) = (Enc p k(a n (i); rvp)), Enc p k{b n ^\ s^p))), for all i <E [n]. 

Send {(ci,di)}™ =1 to C. 

Sub-protocol J7i: P proves in zero-knowledge that it knows the 
randomness {(ri,Si)}" =1 and permutation 7r that were used to obtain the 
list {(a,di)}i = i- 

C : 2. Choose and Blind. 

Pick a random index £ G [n] . 

Send to P the ciphertext e = Blind p k(ce, 0). 

Sub-protocol II 2 : C proves in a witness-independent manner that it 
knows the randomness and index £ that were used to obtain e. 

P : 3. Decrypt and Output. 

Set a = Dec s k{e). Output a. 

Send to C the list of pairs {{b n (i), S 7 r(i))}”=i (in this order). 

C : 4. Verify and Output. 

Denote by (b, s) the £’th entry in this lists (i.e., (b, s) = (6^^), s^^) ). 

If de = Enc p k{b; s ) then output b. 



Fig. 2. Protocol for Correlated Element Selection. 



Blinding by Zero. Notice that for the modified protocol we did not use the full 
power of blindable encryption, since we only used “blindings” by zero. Namely, 
all that was used in these protocols is that we can transform any ciphertext 
c into a random encryption of the same plaintext. (The zero-knowledge proofs 
also use only “blindings” by zero.) This is exactly the “random self-reducibility” 
property used by Sander et al. m- 

Efficiency. We note that all the protocols that are involved are quite simple. In 
terms of number of communication flows, the key generation step and Step 1 
take at most five flows each, using techniques which appear in Appendix 0 
Step 2 takes three flows and Step 3 consists of just one flow. Moreover, these 
flows can be piggybacked on each other. Hence, we can implement the protocol 
with only five flows of communication, which is equal to the five steps which are 
required by a single proof. In terms of number of operations, the complexity of 
the protocol is dominated by the complexity of the proofs in Steps 1 and 2. The 



A Cryptographic Solution to a Game Theoretic Problem 



127 



proof in Step 1 requires nk blinding operations (for a list of size n and security 
parameter k), and the proof of Step 2 can be optimized to about nk / 2 blinding 
operations on the average. Hence, the whole protocol has about | nk blinding 
operations^ 

5 Epilogue: Cryptography and Game Theory 

The most interesting aspect of our work is the synergy achieved between crypto- 
graphic solutions and the game-theory world. Notice that by implementing our 
cryptographic solution in the game-theory setting, we gain on the game-theory 
front (by eliminating the need for a mediator) , but we also gain on the cryptog- 
raphy front (for example, in that we eliminate the problem of early stopping). 
In principle, it may be possible to make stronger use of the game theory setting 
to achieve improved solutions. For example, maybe it is possible to prove that 
in the context of certain games, a player does not have an incentive to deviate 
from its protocol, and so in this context there is no point in asking this player to 
prove that it behaves honestly (so we can eliminate some zero-knowledge proofs 
that would otherwise be required). 

More generally, it may be the case that working in a model in which “we 
know what the players are up to” can simplify the design of secure protocols. 
It is a very interesting open problem to find interesting examples that would 
demonstrate such phenomena. 

We conclude with the table that shows some parallels between Cryptography 
and Game Theory that we discussed. 



Issue 


Cryptography 


Game Theory 


Incentive 


None 


Payoff 


Players 


Totally Honest/Malicious 


Always Rational 


Punishing Cheaters 


Outside Model 


Central Part 


Solution Concept 


Secure Protocol 


Equilibrium 


Early Stopping 


Problem 


Not an Issue 



5 We note that the protocol includes just a single decryption operation, in Step 3. 
In schemes where encryption is much more efficient than decryption - such as the 
Goldwasser-Micali encryption - this may have a significant impact on the perfor- 
mance of the protocol. 



128 Yevgeniy Dodis, Shai Halevi, and Tal Rabin 



References 

1. M. Abe. Universally Verifiable Mix- net with Verification Work Independent on the 
number of Mix-centers. In Proceedings of EUROCRYPT ’98, pp. 437-447, 1998. 

2. R. Aumann. Subjectivity and Correlation in Randomized Strategies. In Journal 
of Mathematical Economics, 1, pp. 67-95, 1974 

3. I. Barany. Fair distribution protocols or how the players replace fortune. Mathe- 
matics of Operations Research, 17(2):327-340, May 1992. 

4. M. Bellare, R. Impagliazzo, and M. Naor. Does parallel repetition lower the error 
in computationally sound protocols? In 38th Annual Symposium on Foundations 
of Computer Science, pages 374-383. IEEE, 1997. 

5. J. Bcnaloh. Dense Probabilistic Encryption. In Proc. of the Workshop on Selected 
Areas in Cryptography, pp. 120-128, 1994. 

6. M. Ben-Or, S. Goldwasser, and A. Wigderson. Completeness theorems for non- 
cryptographic fault-tolerant distributed computation. In Proceedings of the 20th 
Annual ACM Symposium on Theory of Computing, pages 1-10, 1988. 

7. M. Blum. Coin flipping by telephone: A protocol for solving impossible problems. 
In CRYPTO ’81. ECE Report 82-04, ECE Dept., UCSB, 1982. 

8. G. Brassard, D. Chaum, and C. Crepeau. Minimum disclosure proofs of knowledge. 
JCSS, 37(2): 156-189, 1988. 

9. R. Canetti, Security and Composition of Multi-parti Cryptographic Protocols. 
Journal of Cryptology, 13(l):143-202. 

10. D. Chaum. Blind signatures for untraceable payment. In Advances in Cryptology 
- CRYPTO ’82, pages 199-203. Plenum Press, 1982. 

11. D. Chaum, C. Crepeau, and E. Damgard. Multiparty unconditionally secure pro- 
tocols. In Advances in Cryptology - CRYPTO '87, volume 293 of 99 Lecture Notes 
in Computer Science, pages 462-462. Springer- Verlag, 1988. 

12. R. Cramer, I. Damgard, and P. MacKenzie. Efficient zero-knowledge proofs of 
knowledge without intractability assumptions. Proceedings of PKC 2000 January 
2000, Melbourne, Australia. 

13. Y. Dodis and S. Halevi and T. Rabin. Cryptographic Solutions to a Game Theoretic 
Problem, http : / /www . research, ibm. com/ security/DHROO .ps. 

14. C. Dwork, M. Naor, and A. Sahai. Concurrent zero knowledge. In Proceedings of 
the 30th Annual ACM STOC , pages 409-418. ACM Press, 1998. 

15. T. ElGamal. A public key cryptosystem and a signature scheme based on discrete 
logarithms. In CRYPTO ’84, LNCS 196, pages 10-18. Springer- Verlag, 1985. 

16. U. Feige and A. Shamir. Witness indistinguishable and witness hiding protocols. 
In Proceedings of the 22nd Annual ACM STOC , pages 416-426. ACM Press, 1990. 

17. M. Fischer, R. Wright. An Application of Game-Theoretic Techniques to Cryp- 
tography. In Advances in Computational Complexity Theory, DIMACS Series in 
Discrete Mathematics and Theoretical Computer Science, vol. 13, pp. 99-118, 1993. 

18. F. Forges. Can sunspots repalce the mediator? In J. of Math. Economics, 17:347- 
368, 1988. 

19. F. Forges. Universal Mechanisms, In Econometrica, 58:1341-1364, 1990. 

20. D. Fudenberg, J. Tirole. Game Theory. MIT Press, 1992. 

21. J. Garay, R. Gennaro, C. Jutla, and T. Rabin. Secure distributed storage and 
retrieval. In Proc. 11th International Workshop on Distributed Algorithms (WDAG 
’97), LNCS 1320, pages 275-289. Springer- Verlag, 1997. 

22. O. Goldreich, S. Micali, and A. Wigderson. How to play any mental game. In 
Proceedings of the 19th Annual ACM Symposium on Theory of Computing, pages 
218-229, 1987. 




A Cryptographic Solution to a Game Theoretic Problem 



129 



23. S. Goldwasser and S. Micali. Probabilistic encryption. Journal of Computer and 
System Sciences, 28(2):270-299, April 1984. 

24. S. Goldwasser, S. Micali, and C. Rackoff. The knowledge complexity of interactive 
proof systems. SIAM Journal on Computing, 18(l):186-208, 1989. 

25. M. Jakobsson. A Practical Mix. In Proceedings of EUROCRYPT ’98, pp. 448-461, 
1998. 

26. J. Kilian. (More) Completeness Theorems for Secure Two-Party Computation In 
Proc. of STOC, 2000. 

27. E. Lehrer and S. Sorin. One-shot public mediated talk. Discussion Paper 1108, 
Northwestern University, 1994. 

28. P. MacKenzie. Efficient ZK Proofs of Knowledge. Unpublished manuscript, 1998. 

29. G. Mailath, L. Samuelson and A. Shaked. Correlated Equilibria and Local Inter- 
action In Economic Theory, 9, pp. 551-556, 1997. 

30. R. Myerson. Communication, correlated equilibria and incentive compatibility. In 
Handbook of Game Theory, Vol. II, Elsevier, Amsterdam, pp. 827-847, 1994. 

31. J.F. Nash. Non-Cooperative Games. Annals of Mathematics, 54 pages 286-295. 

32. M. Osborne, A. Rubinstein. A Course in Game Theory. The MIT Press, 1994. 

33. T. Sander, A. Young, and M. Yung. Non-interactive CryptoComputing for NCI. 
In fOth Annual Symposium on Foundations of Computer Science, pages 554-567. 
IEEE, 1999. 

34. A. C. Yao. Protocols for secure computations (extended abstract). In 23rd Annual 
Symposium on Foundations of Computer Science, pages 160-164. IEEE, Nov. 1982. 

A Reducing the Error in a Zero-Knowledge 
Proof-of-Knowledge 

Below we describe a known transformation from any 3-round, constant-error 
zero-knowledge proof-of-knowledge into a 5-round, negligible error zero know- 
ledge proof-of-knowledge, that uses trapdoor commitment schemes. We were 
not able to trace the origin of this transformation, although related ideas and 
techniques can be found in mm- 

Assume that you have some 3-round, constant-error zero-knowledge proof-of- 
knowledge protocol, and consider the 3-round protocol that you get by running 
the constant-error protocol many times in parallel. Denote the first prover mes- 
sage in the resulting protocol by a, the verifier message by /?, and the last prover 
message by 7 . Note that since the original protocol was 3-round, then parallel 
repetition reduces the error exponentially (see proof in |2j). However, this pro- 
tocol is no longer zero-knowledge. 

To get a zero-knowledge protocol, we use a trapdoor (or Chameleon) commit- 
ment schemes jBj ■ Roughly, this is a commitment scheme which is computation- 
ally binding and unconditionally secret, with the extra property that there exists 
a trapdoor information, knowledge of which enables one to open a commitment 
in any way it wants. 

In the zero-knowledge protocol, the prover sends to the verifier in the first 
round the public-key of the trapdoor commitment scheme. The verifier then 
commits to (3, the prover sends a, the verifier opens the commitment to (3, 



130 Yevgeniy Dodis, Shai Halevi, and Tal Rabin 



and the prover sends 7 and also the trapdoor for the commitment. The zero- 
knowledge simulator follows the one for the standard 4-round protocol. The 
knowledge extractor, on the other hand, first runs one instance of the proof to 
get the trapdoor, and then it can effectively ignore the commitment in the second 
round, so you can use the extractor of the original 3-round protocol. 




Differential Fault Attacks 
on Elliptic Curve Cryptosystems 
(Extended Abstract) 



Ingrid Biehl 1 , Bernd Meyer 2 , and Volker Miiller 3 

1 University of Technology, Computer Science Department, 
Alexanderstrafie 10, 64283 Darmstadt, Germany, 
biehlOinf ormatik. tu-darmstadt . de 
2 Siemens AG, Corporate Technology, 

81730 Mrinchen, Germany, 
bernd. meyerOmchp . siemens .de 
3 Universitas Kristen Duta Wacana, 

Jl. Dr. Wahidin 5-19, Yogyakarta 55224, Indonesia, vmuellerSukdw. ac . id 



Abstract. In this paper we extend the ideas for differential fault at- 
tacks on the RSA cryptosystem (see ]!]) to schemes using elliptic curves. 
We present three different types of attacks that can be used to derive 
information about the secret key if bit errors can be inserted into the 
elliptic curve computations in a tamper-proof device. The effectiveness 
of the attacks was proven in a software simulation of the described ideas. 

Key words: Elliptic Curve Cryptosystem, Differential Fault Attack. 



1 Introduction 

Elliptic curves have gained especially much attention in public key cryptography 
in the last few years. Standards for elliptic curve cryptosystems (ECC) and 
signature schemes were developed [7] . The security of ECC is usually based on 
the (expected) difficulty of the discrete logarithm problem in the group of points 
on an elliptic curve. In many practical applications of ECC the secret key (the 
solution to a discrete logarithm problem) is stored inside a tamper-proof device, 
usually a smart card. It is considered to be impossible to extract the key from 
the card without destroying the information. For security reasons the decryption 
or signing process is usually also done inside the card. 

Three years ago a new kind of attack on smart card implementations of cryp- 
tosystems became public, the so called differential fault attack (DFA), which has 
been successful in attacking RSA Pj , DES P] , and even helps reverse-engineering 
unknown cryptosystems. The basic idea of DFA is the enforcement of bit errors 
into the decryption or signing process which is done inside the smart card. Then 
information on the secret key can leak out of the card. In RSA implementations 
for example this information can be used to factor the RSA modulus (at least 
with some non-negligible probability), which is equivalent to computing the se- 
cret RSA key. So far there is no method known to extend the ideas of pE] to 

M. Bellare (Ed.): CRYPTO 2000, LNCS 1880, pp. I.TI- THfil 2000. 

(c) Springer- Verlag Berlin Heidelberg 2000 



132 Ingrid Biehl, Bernd Meyer, and Volker Muller 



cryptosystems based on the discrete logarithm problem over elliptic curves. In 
this paper we investigate how DFA techniques can be used to compute the secret 
key of an ECC smart card implementation. Our attacks can be used for elliptic 
curves defined over arbitrary finite fields. 

We consider the following scenario: a cryptographically strong elliptic curve 
is publicly known as part of the public key. The secret key d G 7Z is stored inside 
a tamper-proof device, unreadable for outside users. On input of some point P 
on the chosen elliptic curve, the device computes and outputs the point d ■ P. 
We assume that we have access to the tamper-proof device such that we can 
compute d ■ P for arbitrary input points P. 

The main common idea behind the attacks in Sect. 0 is the following: by 
inserting (in the first mentioned attack) or by disturbing the representation of 
a point by means of a random register fault we enforce the device to apply its 
point addition resp. multiplication algorithm to a value which is not a point 
on the given but on some different curve. It is a crucial observation as we will 
show in Sect. El that the result of this computation is a point on the new prob- 
ably cryptographically less strong curve which can be exploited to compute d. 
Thus these attacks work by misusing the tamper-proof device to execute its 
computation steps on group structures not originally intended by the designer 
of the cryptosystem. Similar ideas have been previously described in m where 
small order subgroups in (Z/pZZ)* are exploited to compute part of the secret 
key and in 0 for attacks against identification schemes. It is shown in 0 how 
identification schemes can be used to prove knowledge of logarithms and roots 
which do not even exist in the subgroup where the cryptosystem should make 
its computations. 

Moreover, we present a DFA- like attack in Sect. El which is similar to at- 
tacks against RSA in fJJ. There so called register faults are used to attack RSA 
smart card implementations. Register faults are transient faults that affect cur- 
rent data inside a register. All the circuitry is not influenced by these faults and 
works properly. For a more detailed discussion of that fault model, we refer to 
|U Sect. 3]. We use the same fault model and assume that we can enforce ran- 
dom register faults in the decryption or signing process. Incorrect output values 
caused by random register faults are used to compute possible intermediate val- 
ues of the computation and parts of the secret key. The intermediate values are 
not necessarily unique and one has to repeat the attack to get successively all 
bits of the secret key. The analysis of the probability of non-uniqueness and so 
of the costs of the computation of the secret key is the technically most compli- 
cated part of the analysis in the considered ECC case and cannot be based on 
the ideas presented in pE|. We sketch it in the appendix. 

We know no widespread applications of smart cards for signature generation 
or decryption where complete points are the output of the used tamper-proof de- 
vice. Therefore, we consider additionally as a more realistic scenario the situation 
that the tamper-proof device implements El-Gamal decryption. For El-Gamal 
decryption we can show that the attacks from Sect. H. 1 1 and IH1 have expected 
polynomial running time. Furthermore, it is shown that the attack of Sect. 14.21 



Differential Fault Attacks on Elliptic Curve Cryptosystems 133 



can be used against El-Gamal decryption and the elliptic curve digital signature 
scheme in expected subexponential running time. 

The fault models of DFA attacks have been criticized for being purely the- 
oretical. In 0 it is argued that a random one-bit error would be more likely to 
crash the processor of the tamper-proof device or yield an uninformative error 
than to produce a faulty ciphertext. Instead, glitch attacks which have already 
been used in the pay-TV hacking community, are presented in 12ITR1 as a more 
practical approach for differential fault analysis. The attacker applies a rapid 
transient in the clock or the power supply of the chip. Due to different delays in 
various signal paths, this affects only some signals and by varying the parameters 
of the attack, the CPU can be made to execute a number of wrong instructions. 
By carefully choosing the timing of the glitch, the attacker can possibly enforce 
register faults in the decryption or signing process and apply our attacks. 

The paper is structured as follows: Section Qgives an introduction to the well 
known theory of elliptic curves. Section Elexamines pseudo-addition, an operation 
which will play a crucial part in the DFA attacks. Sections E] and El describe three 
different attacks on ECC systems and show how faults can be used to determine 
the secret key d. We close with comments on possible countermeasures. 

2 Elliptic Curves 

In this section we review several well known facts about elliptic curves. Let K be 
a finite field of arbitrary characteristic, and let ai, a 2 , a%, CI4, a§ £ K be elements 
such that the discriminant of the polynomial given in m is not zero (the formula 
for the discriminant can be found in, e.g., | 5 j). Then the group of points E{K ) 
on the elliptic curve E = (0,4, a- 2 , 03, 04, a^) is given as 

| (a; ,y) £ K 2 : y 2 + a\xy + a 3 y = x 3 + a 2 x 2 + OaX + a 6 | U joj, ( 1 ) 

where O := (00, 00). Pairs of elements of K 2 which satisfy the polynomial equa- 

tion (ID are denoted as points on E. In the following we use subscripts like P E to 
show that P is a point on the elliptic curve E. We define the following operation: 

- for all P E £ E{K), set P e + O e = O e + P E := P E , ( 2 ) 

- for P E = (x, y)_ E , set —P E := (x, —y - a\X - a 3 ) E , 

- for xi = x 2 and y 2 = -yi -04X4- a 3 , set (xi,yi) + (x 2 ,y 2 ) ■= O e , 

- in all other situations, set (xi,yi)_E + {x 2 ,y 2 ) E '■= ( X3,y3) E , where 

X3 = A T 04 A — a 2 — X4 — x 2 
2/3 = -2/1 - (£3 - Xa) A - di x 3 - a 3 



with 



{ 3 x 2 + 2 a 2 X4 + 04 — aij/i 
2 2/1 + 0,4X4 + &3 

2/i ~ 2/2 
xa - x 2 



if a,’i = x 2 and 2/1 = 2/2, 



otherwise. 



134 Ingrid Biehl, Bernd Meyer, and Volker Muller 



As shown in 0, this operation makes E(I\) to an abelian (additive) group with 
zero element Oe- For any positive integer m we define m • Pe to be the result 
of adding Pe m — 1 times to itself. A crucial point that we will use in further 
sections is the fact that the curve coefficient ae is not used in any of the addition 
formulas given above, but follows implicitly from the fact that the point Pe is 
assumed to be on the curve E. 

In almost all practical ECC systems the discrete logarithm (DL) problem in 
the group of points on an elliptic curve is used as a trapdoor one-way function. 
The DL problem is defined as follows: given an elliptic curve E and two points 
Pe, d- Pe on E, compute the minimal positive multiplier d. A cryptographically 
strong elliptic curve is an elliptic curve such that the discrete logarithm problem 
in the group of points is expected (up to current knowledge) to be difficult. ECC 
system implementations should always use cryptographically strong curves. 

We will show in the following sections that random register faults can be used 
to compute information about a secret key d which is stored inside a tamper- 
proof device that computes d ■ P for some input point P. Thus our scenario 
becomes applicable if the device is used for the computation of the trapdoor 
one-way function d ■ P in a larger protocol. In practice however neither EC sig- 
nature generation nor EC cryptosystems use tamper-proof devices which output 
complete points. Consider for example the following EC El-Gamal cryptosystem 
(without point compression): 

Let E be a cryptographically strong elliptic curve. Given a point P £ E 
assume that Q = d ■ P is the public key and 1 < d < ord(P) the secret key of 
some user. For a point R let x(R) denote the ^-coordinate . The EC El-Gamal 
cryptosystem (without point compression) is given as follows: 



Encryption 




Decryption 


Input: message m, public key 




Input: ( H,m '), secret key d 


choose 1 < k < ord(P) randomly 




compute d ■ H 


return {k ■ P , x{k ■ Q) ® to) 




return m! ® x(d ■ El) 



If we combine the input and the output of the decryption process, then we can 
consider El-Gamal decryption as a black box that computes on input of some 
point H the ^-coordinate oi d ■ H . Using the curve equation corresponding to 
the input point H we can determine the points d ■ H and —(d ■ H). But we have 
to stress that one cannot distinguish which one of this pair of points is d ■ H. 



3 Pseudo-addition and Pseudo-multiplication 

Let E be a fixed cryptographically strong elliptic curve defined over a finite 
field K. We start with the following question: what happens when we use the 
operation defined in m for arbitrary pairs in K 2 instead for points on El In 
this section we will answer this question and deduce some properties of this new 
operation. 



Differential Fault Attacks on Elliptic Curve Cryptosystems 135 



Let 04,02,03,04 G K be the coefficients of E with the exception of a g. It 
should be noted that a 6 does not occur in the addition formulas Q) and is 
therefore not needed. Then it is easy to see that the operation |2|) is also well- 
defined for arbitrary elements in P := IC 2 U{(oo, 00)} (assuming that division by 
zero has the result 00). For two arbitrary pairs Pi G P, i = 1, 2, we denote this 
operation as pseudo-addition and write Pi ® Pi- Pseudo-subtraction is defined as 
pseudo-addition with the negative point and denoted with P1QP2 = Pl©(— P 2)- 
Moreover, for any positive integer n G IN and any pair Pi G V, we define a 
pseudo-multiplication n® Pi as the result of (• • • ((Pi © Pi) © Pi) ©■••)© Pi, 
where pseudo-addition © is used exactly n — 1 times. 

We present a few facts on the operation ©. Testing a few random example 
pairs in P, it becomes obvious that pseudo-addition © is in general no longer as- 
sociative. We can however prove the following weaker results on pseudo-addition. 

Theorem 1. Let two elements ( Xi,yi ) G P, i = 1,2, be given. Pseudo-addition 
is 

1 . commutative, i.e. {x\, y\) © (X2, 2/2) = (X2, 2/2) © (x 1: yi), 

2 . “weakly associative” : if x\ 7^ X2 or (x’4,2/4) = ±(£2, 2/2) 

{i.xi,yi) © (£2,3/2)) 0 (^2,2/2) = {xi,yi). 

Proof. The first assertion of the theorem follows directly from the symmetry of 
the formulas given in (0, testing all cases for the second assertion is a minor 
exercise for a computer algebra system. □ 

The discrete logarithm problem for elliptic curves is defined after multiplication 
of a point with a scalar. The following theorem describes a property of pseudo- 
multiplication. 

Theorem 2 . Let the number of elements in the field K be q. For at least g 2 + l — 
4 q elements P G P and all positive integers n,m, pseudo-multiplication satisfies 

1 . n®(m®P) = ( n-m)®P , 

2 . (n © P) © (to ® P) = (ro + to) © P. 

Proof. Note first that the assertions are trivial for the pair O. Let therefore 
P = (x, y) G P. Define Og = y 2 -\-a\xy+azy— x 3 — <X2X 2 — 0,4a;. If (ai, <X2, 03, 04, ag) 
defines an elliptic curve, then obviously P is a point on this curve, and the 
result of the theorem follows directly from the associativity of point addition. 
The number of exceptional pairs (x, y) that do not lead to elliptic curves can 
easily be bounded by 4 q since for given coefficients 04,02,03,04 there are only 
two possibilities for 06 such that the discriminant becomes zero. □ 

Finally, we examine how a fast multiplication algorithm behaves when used 
with pseudo-addition instead of ordinary point addition. A direct consequence 
of Theorem El is the following theorem. 



136 Ingrid Biehl, Bernd Meyer, and Volker Muller 



Theorem 3. Given a pair P = (x,y) £ V and a positive integer to. Assume 
that the tuple (04, 02, 03, 04, y 2 + a^xy + a%y — x 3 — a2X 2 — a^x) defines an el- 
liptic curve E' over K . Then any fast multiplication type algorithm with input 
(to, P 1 a\, 02, 03, 04) computes the result m®P accordingly to the addition defined 
in Sect, 0 Moreover, we have the equality to (g> P = to • Pe' , where Pe> = P 
and to • Pe 1 are points on E' and the latter is computed with “ordinary ” point 
additions. 

Remark 1 . The crucial idea of pseudo addition is the fact that one of the curve 
coefficients is not used in the addition formulas. However a different point rep- 
resentation, so called projective coordinates, is also often used in practice. The 
addition formulas for such representations (see, e.g., [7J A. 10.4]) have the same 
property. Therefore, the ideas presented in this paper can be adapted to other 
point representations typically used in practical applications. 



4 Faults at the Beginning of the Multiplication 

We start with the description of elliptic curve fault attacks. The first type of 
attacks however does not need the generation of any fault; it is an attack on 
“bad” implementations of ECC systems. 

4.1 No Correctness Check for Input Points 

The first attack is applicable when the device neither explicitly checks whether 
an input point P nor the result of the computation really is a point on the 
cryptographically strong elliptic curve E which is a parameter of the system. 
The attack is simple and should not be applicable to a well designed system, but 
nevertheless such a “bug” might happen in practice. 

Let E = (ai, d2, <23, 04, 06) be a given cryptographically strong elliptic curve, 
which is part of the setup of the ECC system. In this situation we input a pair 
P € V into the tamper-proof device which is not a point on E, but a point on 
some other elliptic curve E'. We choose the input pair P = (x, y) carefully, such 
that with Og = y 2 + aixy + a%y — x 3 — a2X 2 — 04a: the tuple (ai, 02, 03, 04, Og) 
defines an elliptic curve E' whose order has a small divisor r and such that 
ord(P) = r. With Theorem 0 we know that the output of the tamper-proof 
device with input P is then d ■ P on E'. Therefore, we end up with a discrete 
logarithm problem in the subgroup of order r generated by P € E' , namely given 
points P, d ■ P on E' , find d mod ord(P). We can repeat this procedure with a 
different choice of P and use the Chinese Remainder Theorem to compute the 
correct value of d. 

This algorithm is quite efficient if we do not choose P, but the curve E' first 
and compute P. The construction of such an elliptic curve E' can be done in 
essentially the same way as in the elliptic curve construction method described 
in (ZJ. First we try to find an integer to in the Hasse interval such that (q + 1 — 
to) 2 — 4 q has a large square factor and to a small factor. Then we can determine 



Differential Fault Attacks on Elliptic Curve Cryptosystems 137 



the j-invariant of an elliptic curve defined over K which has group order to. 
Finally, we have to check whether there exists an elliptic curve with coefficients 
,a4,cig that has the given j-invariant. The latter test can be solved by 
factoring a polynomial of degree 2 and yields a' 6 . We check for a few random 
values of x whether y 2 + a\xy + a^y — x 3 — a^x 2 — a^x — ag = 0 is solvable for 
y. The pair Pe' = ( x,y ) is chosen as input. Since m has a small divisor, given 
d ■ Pe' we can then determine the secret key modulo this small divisor (at least 
when this small divisor divides the order of P E ' on E'). 

If we apply this attack to the device computing the El-Gamal decryption 
as described in Sect. 0we cannot determine the y-coordinate of the resulting 
point uniquely. Given its x-coordinate w we can compute values z,z' such that 
(w, z), (w, z ') £ E ' and (w, z±) = —(w, z 2), but we cannot decide which of these 
points is d ■ P on E’ . By computation of the discrete logarithms of (w,z) and 
(■ w,z ' ) we therefore get values c,d with c = —d mod ord(P) and either d = c 
mod ord(P) or d = d mod ord(P). Thus we get d 2 = c 2 mod ord(P). To com- 
pute d we have to choose sufficiently many points Pi with small order such that 
lcm(ord(Pi), . . . ,ord(P s )) > d 2 . Then we get equations d 2 = cf mod orcl(P;) 
for 1 < * < s and can compute the value d 2 as an integer using the Chinese 
Remainder Theorem. The integer square root is the secret key d. 

4.2 Placing Register Faults Properly 

In the second attack we assume that we can enforce register faults inside the 
“tamper-proof” device at some precise moment at the beginning of the multi- 
plication process. If the “tamper-proof” device checks whether the given input 
point is a point in the group of points of the cryptographically strong elliptic 
curve E, the attack of Sect. rm is no more applicable. Assume however that we 
can produce one register fault inside the tamper-proof device right after this test 
is finished. Then the device computes internally with a pair P' which differs in 
exactly one bit from the input point P. Therefore, the device computes and 
if it does not check whether the output is a point on E - outputs d® P ' . With 
Theorem 0 we deduce that d® P 1 lies on the same elliptic curve E' as P' . We 
determine ag such that the output pair d® P' satisfies the curve equation with 
coefficients (ai, 02, a3, 04, ag). If these coefficients define an elliptic curve E’ , we 
have reduced the original DL problem on If to a DL problem on E’\ check for all 
possible candidates P' ( P' is unknown outside the device, but remember that P' 
differs in only one bit from the known point P) whether this candidate is a point 
on E' and - if so - try to solve the DL problem on E' . First, we compute ord^') 
the number of points on E' using algorithms for point counting. If ord^ 7 ) has 
a small divisor r, we solve the DL problem for the points (ord (E')/r) ■ P' E , and 
d ■ ((ord (E')/r) ■ P' E ’)- This gives an equation d = c mod r for some value c. 
Repeating this step with different divisors r we can compute d with the Chinese 
Remainder Theorem. 

As described in Sect.Q we can consider El-Gamal decryption as a black box 
that on input of some point P computes x{d- P) where d is the secret key stored 
inside the tamper-proof device. Note however that we cannot apply directly the 



138 Ingrid Biehl, Bernd Meyer, and Volker Muller 



attack from this section since we do not know the y-coordinate of the output 
point. Without the y-coordinate we cannot determine the curve E' to which 
the output P' belongs. In general there are many possible curves. It is however 
possible to solve the DL problem with non-negligible probability if there exists 
a curve E' corresponding to a base point P' resulting from a one-bit error such 
that the order of E' is smooth. Then we use the algorithm of Pohlig-Hellman 
(see m) to compute d. 

Similar to the analysis of Lenstra’s Elliptic Curve Factoring Method □ , it 
follows that we have to consider subexponentially many random elliptic curves 
until one of them has (subexponentially) smooth order. Thus the expected num- 
ber of trials of the attack with random points P € E until we find such a smooth 
curve and can determine the secret multiplier d is subexponential again. 

A similar situation occurs in the elliptic curve DSA signature scheme. In EC 
DSA, we have two primes p, q which are about the same size, an elliptic curve E 
over F 9 , and a point P on E of order p. The public key is (p, q , E, P, Q) where 
Q = d ■ P for some secret value d. To sign a message m with hash value h , the 
signer randomly chooses an integer 1 < k < p — 1, computes k • P = (aq,yi), 
r = x i mod p , and s = fc^ 1 (/i + dr) mod p. The signature is (r, s). 

Please note that we cannot input a point here but a publicly known point 
P is used as base point for the computation. We again disturb the computation 
of k ■ P by a register fault right at the beginning, i.e. P is replaced by some 
P' . The tamper-proof device then computes the signature r' = x{k ■ P') mod p, 
and s' = k~ 1 (h + dr') mod p. Knowing this signature, we can use the following 
algorithm for all possible candidates P for P'\ 

— compute the curve E corresponding to P - if it exists 

— derive from r' a small set of possible values for the cc-coordinate of x(k ■ P') 
(since p , q are of about the same size), 

— compute two candidates for the corresponding y-coordinate by means of the 
equation for E. 

In case P was correctly chosen and E is a weak curve with respect to the discrete 
logarithm problem and ord(P) > p — 1, one can first find k 7 and then the secret 
key d as d = r'~ l {s'k — h) mod p. 

If we disturb the base point P in such a way that P' and P differ only in 
one bit, we have only 21og(y) possible choices for the curve E' and it is very 
unlikely that we get a curve with subexponentially smooth order and that the 
attack succeeds. But if we manage to change o(log(y)) many bits at once such 
that we get subexponentially many different choices for E' then there is with 
high probability at least one curve with smooth order among them and we can 
compute the one-time key k and so the secret key d, i.e. the signature scheme 
is completely broken. The expected number of trials to get such a curve E' is 
subexponential again. 



Differential Fault Attacks on Elliptic Curve Cryptosystems 139 



5 Faults at Random Moments of the Multiplication 

In this section we sketch an attack that works even if we cannot influence the 
exact position in the computation process, at which the enforced random register 
fault happens. 

In P|, the authors show how to attack RSA smart card implementations by 
enforcing register faults at random time in the decryption or signing process. The 
most important operation in RSA is fast exponentiation. For elliptic curves, the 
situation is similar and we can use some of the ideas of Hj. 

In the following we assume that the used elliptic curve is cryptographically 
strong, especially we assume that -E(F g ) contains a subgroup of prime order 
p with p > q/\og(q). The operation Q = d ■ P is usually done with either a 
“right-to-left” or a “left-to-right” multiplication algorithm. Since the ideas for 
the attacks in both cases are very similar we restrict ourselves here to the “right- 
to-left” multiplication algorithm and show: if one can enforce a fault randomly 
in a register at a random state of the computation than one can recover the 
secret key in expected polynomial time. 

We start with a result for a fault model where we can introduce register faults 
during the computation of an a-priory chosen specific block of multiplier bits, 
e.g. we assume that we can repeatedly input some point Pe on E into the tamper- 
proof device and enforce a register fault during m successive iterations of the fast 
multiplication algorithm. Then we will show that we can relax this condition, 
i.e. even if one cannot influence at which block the register fault happens one can 
deduce the secret key after an expected number of polynomially many enforced 
random register faults. We will present a rather informal description of the attack 
which abstracts from some less important details. 

The right-to-left multiplication algorithm works as follows (we denote by 
(d n - 1 d n - 2 . . . do)2 the binary representation of a positive integer d, where e?o is 
the least significant bit): 

H = P; Q = 0; 

for i = 0 , ... , n-1 do 

if (d_i == 1) then Q = Q + H; 

H = 2 * H; 
output Q ; 

To simplify the notation assume that we know the binary length n of the un- 
known multiplier d (note that an attacker can “guess” the length of d). Denote 
by < 9 ^), ifM the value stored in the variable Q , H in the algorithm description 
before iteration i. 

The basic attack operation works as follows: we use the tamper-proof device 
with some input point Pe to get the correct result = d ■ Pe and moreover 
we restart it with input Pe but enforce a random register fault to get a faulty 
result Q^ n \ Assume that we enforce the register fault in iteration n — m<j < n, 
and that this fault flips one bit in a register holding the variable Q (the case 
that a bit in H is flipped can be handled similarly). Then Q^) i§ a disturbed 
Q -value, i.e. a pair in V 2 that differs in exactly one bit from 



140 Ingrid Biehl, Bernd Meyer, and Volker Muller 



Next we try to find the index of the first iteration j' with j’ > j and dj> = 1 
given Q ^ and Q^ n \ For simplicity reasons we assume that there is at least one 
non-zero bit among the in most significant bits of d, i.e. f exists (we omit the 
technically more difficult case of m zero bits here for reasons of readability). We 
can find a candidate for the disturbed Q-value ^ with the following method: 
successively, we check each i with n — m < i < n as candidate for j' , each 
x £ {0, l} n ~ z with least significant bit 1 as candidate for the i most significant 
bits of d, and each Qx' 1 = Q -x-2 1 ■ P E as candidate for For each choice 
of x and i we consider all disturbed Q-values Qx' 1 which we can derive from 
Qx by flipping one bit. Then we check whether this may be the disturbed value 
which appeared in the device, i.e. we simulate the computation of the device, 
compute the corresponding result value and check whether it is identical with the 
found value Q^ n \ More precisely: we use pseudo-additions with points X(2 l+i -P E 
for t = 0, . . . , n — i — 1 where x = (x n -i- 1 . . . £ 0)2 with Xq = 1 is the binary 
representation of x to get for candidates i,x,Qx\ and Qx 1 the corresponding 
faulty result 

Qi n) = (■■■ ((Qx ] © 34)2* • P E ) © xa +1 ■ P E ) © • • • ) © z ■ P E . 



If Qx ^ is equal to the faulty result Q ^ output by the device, then we have found 
i as a candidate for j’, Q^ as a candidate for Q^ I , and the binary representation 
of x as a candidate for the upper n — j ' bits of d. 



j iterations 




n-j iterations 




Q(0> 




Ql”) Q<n) 



By trying faults on Q and on H and all m possibilities for i and corresponding 
integers x we can make sure that this procedure outputs at least one candidate 
for Qd I (or for H^\ in the case the fault occurs in H) . In case there is only one 
candidate suitable for P E , Q^ n \ m, and for (/© we h ave computed the n — j’ 
upper bits of the secret key d. One can show that the probability is small that 
more than one candidate survives (more details can be found in the appendix). 

To reveal step by step all bits of d we start to compute the most significant 
bits as explained above and work downwards to the least significant bits by 




Differential Fault Attacks on Elliptic Curve Cryptosystems 141 



iterating the same procedure with new random register faults in blocks of at 
most m iterations. In each step we use the information that we already know 
about d to restrict the range of test integers x which have to be considered. 

Theorem 4. Let m = o(log log log q) and let n be the binary length of the 
secret multiplier. Assume that we can generate a register fault in an a-priory 
chosen block of m iterations of the multiplication algorithm. Using an expected 
number of 0(n ) register faults we can determine the secret key d in expected 
0(nm2 m (logq) 3 ) bit operations. 

Finally, we consider the more general situation in which we cannot induce register 
faults in small blocks, but only at random moments during the multiplication. As 
in one can show that for a large enough number t of disturbed computations 
we get a reasonable probability that errors happen in each block of m iterations. 

Theorem 5. Let E be an elliptic curve defined over a finite field with q ele- 
ments, let m = o(logloglogg), and let n be the binary length of the secret mul- 
tiplier. Given t = 0((n/m) log(ro)) faults, the secret key can be extracted from 
a device implementing the “right-to-left” multiplication algorithm in expected 
0(n 2 m (logq) 3 log(n)) bit operations. 

Thus this theorem can be summarized as follows: if we consider the size of the 
used finite field as a constant then we need 0(?rlog(n)) accesses to the tamper- 
proof device to compute in 0(n log(ra)) bit operations the secret key of bit length 
n. Please notice that the block size m we used as parameter of our algorithm 
reflects the tradeoff between the number of necessary register faults and the 
running time to analyse the output values influenced by these faults. It depends 
on the attackers situation whether more accesses to the tamper-proof device or 
more time for the analysis can be spent. 

Remark 2. We have implemented a software simulation of the algorithm given 
above and attacked several hundred randomly chosen elliptic curves. Obviously, 
one can find easily non-unique solutions for the indices j and the parts of x 
of the corresponding discrete logarithms if the order of the base point Pe is 
small in comparison with 2 m where to is the length of the block containing the 
error. Also, if the size of the field is very small (< 1000) the algorithm often 
finds contradicting solutions. Both cases are not relevant for a cryptographically 
strong elliptic curve. In all tested examples with size of the field bigger than 
2 64 , randomly chosen curve, and random point on the curve we determined the 
complete secret multiplier d without problems. 

If we apply this attack to the device computing the El-Gamal decryption as 
described in Sect. El we cannot determine the y-coordinate of the resulting point 
uniquely. Since we know the equation of the curve we can compute points Q 
and — Q such that the correct result Q ^ of the device is one of these points. 
We start the described attack on both points Q and — Q and compare only the 
^-coordinate of the disturbed results of the attack with the ^-coordinate of the 
faulty result x(Q^) of the device. Using this procedure we find at least one 



142 Ingrid Biehl, Bernd Meyer, and Volker Muller 



candidate for some point Q^) (or for some point H^\ in the case the fault 
occurs in H) and can determine the upper bits of the secret multiplier d if the 
candidate is unique. 

6 Countermeasures 

It became obvious in the preceding sections that DFA techniques for elliptic 
curves depend mainly on the ability to disturb a point on E to “leave” the 
group of points and become an ordinary pair in V . Countermeasures against 
all attacks presented in this paper are therefore obvious. Although it is part of 
the protocols of most cryptosystems based on elliptic curves to check whether 
input points indeed belong to a given cryptographically strong elliptic curve 
it follows from the described attacks that it is even more important for the 
tamper-proof device to check the output point or any point which serves as 
basis for the computation of some output values. If any of these points, input 
points or computed points, do not satisfy this condition, no output is allowed to 
leave the device. This countermeasure for ECC is similar to the countermeasures 
proposed against DFA for RSA where the consistency of the output also has to 
be checked by the device. 



Acknowledgements 

We would like to thank the unknown referees for several suggestions which im- 
proved the quality and readability of the paper. Moreover, we would like to thank 
Susanne Wetzel and Erwin HeB for discussions. Our thank belongs especially to 
Arjen K. Lenstra who gave us a lot of support to improve the paper and pointed 
out to us the subexponential time attacks against El-Gamal decryption and EC 
DSA in Sect. 14.21 

References 

1. R. J. Anderson and M. G. Kuhn: Tamper Resistance - a Cautionary Note , Pro- 
ceedings of Second USENIX Workshop on Electronic Commerce 1996, pp. 1—11. 

2. R. J. Anderson and M. G. Kuhn: Low Cost Attacks on Tamper Resistant Devices, 
Lecture Notes in Computer Science 1361, Proceedings of International Workshop 
on Security Protocols 1997, Springer, pp. 125-136. 

3. E. Biham and A. Shamir: Differential Fault Analysis of Secret Key Cryptosystems , 
Lecture Notes of Computer Science 1294, Proceedings of CRYPTO’97, Springer, 
pp. 513-525. 

4. D. Boneh, R. A. DeMillo, and R. J. Lipton: On the Importance of Checking Crypto- 
graphic Protocols for Faults, Lecture Notes of Computer Science 1233, Proceedings 
of EUROCRYPT’97, Springer, pp. 37-51. 

5. M. Burmester: A Remark on the Efficiency of Identification Schemes, Lecture 
Notes of Computer Science 473, Proceedings of EUROCRYPT’90, Springer, 
pp. 493-495. 

6. I. Connell: Elliptic Curve Handbook, Preprint, 1996. 



Differential Fault Attacks on Elliptic Curve Cryptosystems 143 



7. IEEE P1363 Draft Version 12: Standard Specifications for Public Key Cryptography, 
available on the Homepage of the IEEE. 

8. O. Kommerling and M. G. Kuhn: Design Principles for Tamper- Resistant Smart- 
card Processors , Proceedings of USENIX Workshop on Smartcard Technology 1999, 
pp. 9-20. 

9. H. W. Lenstra: Factoring Integers with Elliptic Curves, Annals of Mathematics, 
126 (1987), pp. 649-673. 

10. C. H. Lim and P. J. Lee: A Key Recovery Attack on Discrete Log-based Schemes 
Using a Prime Order Subgroup, Lecture Notes of Computer Science 1294, Proceed- 
ings of CRYPTO’97, Springer, pp. 249-263. 

11. A. Menezes: Elliptic Curve Public Key Cryptosystems, Kluwer Academic Publish- 
ers, 1993. 

12. S. Pohlig and M. Heilman: An Improved Algorithm for Computing Logarithms 
over GF(p) and its Cryptographic Significance, IEEE Transactions on Information 
Theory, vol. 24 (1978), pp. 106-110. 

13. J. H. Silverman: The Arithmetic of Elliptic Curves, Graduate Texts in Mathematics 
106, Springer 1986. 



Appendix: Success Probability of the Attack in Sect. El 

We denote by QW resp. 77 ^ the value stored in the variable Q resp. 77 before 
iteration i of the right-to-left multiplication algorithm described in Sect.0 We 
know also the correct result Q ( n ' ) = d ■ Pe and a faulty result for a given 
base point Pe on E. 

We define a disturbed Q -value with respect to Pe, Q^ n \ to to be a pair in 
P 2 that differs in exactly one bit from some for n — m < i < n. Assume 
that we enforce a register fault in iteration n m < j < n, and that this fault 

flips one bit in a register holding the variable Q. Denote by Qh) the resulting 
disturbed Q- value. According to the right-to-left multiplication algorithm we 
try all possible indices n — m < i < n and all integers x with exactly n — i 
bits (least significant bit 1) to compute candidates for disturbed Q-values 
that lead to the faulty result Q^ n \ The second place where a register fault can 
happen is the register holding the variable H in the algorithm. The procedure 
for this case is quite similar. Again, we try all possible indices n — m < i < n 
and all integers x of exactly n — i bits (least significant bit 1). If the fault is now 
introduced in the variable H (i.e. into one of the points 77 ^ = 2* • Pe), this 
results in some disturbed 77-value 77^ and is then propagated by the loop of 
the algorithm. By trying both Q- and 77-case and all m possibilities for i and 
corresponding integers x we can make sure that this procedure outputs at least 
one candidate for Qb') or f or fjO) , l n case there is only one candidate suitable for 
Pe, Q {n \ to and for Q we call this candidate a uniquely determined disturbed 
value with respect to Pe, Q ( ' n \ to. Otherwise, a candidate is called non-uniquely 
determined disturbed value. 

In Lemma Owe will prove that for to = o(logloglog q), all d and almost all 
points Pe there are at most three different non-uniquely disturbed values. Thus 
the expected number of necessary repetitions of attacks (i.e. choosing a point 



